Since it came up with a client this morning, the easiest way to protect and lock-down your remote access is to use your firewall to block/drop all traffic except that which comes from your home IP sub-net. (and of course your vacation home, private yacht, ski villa, sat phone etc.)
[There is actually a bit of obscure tech-humor in the previous statement]
By using this approach you greatly reduce the attack surface of the firewall without the performance impacts of a VPN or other network-wide encrypted transport.
