first of all you should delete this thread and put it in misc. security where it belongs.

vnc uses 5800 for the java applet (which is better disabled) and 5900 for the viewer. security on this can be increased by using ssh with it. also you FW can be set to only accept incoming traffic on these ports from these spacific ips. if the remotes are using DSL and your assigned dynamic ip's switch to a provider that offers statics. ie verizon does not while covad does. you can take this a step further by using VPN technology