How about just plainly blocking the most obvious holes, that is telnet and POP? If someone wants a direct telnet connection to a route server or something similar - open a hole with a web-based tool? Ok, then you say all unencrypted www traffic with plain username/pw.. SSH'ing everything back to home base is quite useful :)
--Kauto
