I'm a huge fan of fail2ban. Never assume that your perimeter is impenetrable. Treat everything like it's the interwebz. I've seen really serious compromises that happened through copiers, coffee makers, lights, cameras, refrigerators, door alarms, and cash registers.
Assume for a moment that a family member invites someone over. Should that guest's cell phone be able to surf your network and map all your drives? Maybe download your tax returns or your medical records?