Edit: better still how about tunnelling the workers in and shutting EVERYTHING else out?
Then people would have to foward ports and use a special client.
Why special client? Are there problems with RPC across TCP/SSH?
And how much more work is it than stopping miners etc all the time? We need to secure these pools, it is as obvious as the nose on your face. I think creighto says the enemy of the good is the perfect. Anything better than nothing.