Then there is only one place to go to change and update credentials instead of 1(n) devices to make changes on. The settings can easily just be added to your initial setup template. One example would be an encrypted GRE tunnel, or just standard IPSEC (no tunnel mode).
Why are you allowing the general Internet to get to the management interfaces of your devices? This should all be ACLd off except to known good ranges you connect from or all be done via VPN.