After firewalls are in place, you're not done securing JBoss 3.2.6. At the least, passwords should be set on the jmx-console and web-console applications.
Go to $JBOSSHOME/server/yourconfig/deploy and take the following steps to secure the jmx-console application:
Now do the same for the web-console application:
Besides the above steps, you'll probably want to remove the status application, the HTTP invokers, maybe JMS, etc. An excellent book is O'Reilly's JBoss, A Developer's Notebook. Chapter 9 is freely available online, which walks you through the above steps and much more.
(Re)start JBoss and go get your brownie points from the system administrators!