from the internet side, I lock down ssh or administrative stuff to local network, and specific IPs, like work. inside my network, everything has a password to access, no defaults. vlans for specific use servers, etc.

You, diagram? I just keep throwing crap into the mix and trying to remember which vlan and ip scheme its supposed to use and which device has access. Order is for work, Chaos is for personal enjoyment.