All, there is no need to pay someone for some fancy firmware, put your miners behind a statefull firewall like an ubiquity edgemax ($70) and just block all inside to outside ip connections that have nothing to do with the pool you are using. Manage your miners via an encrypted vpn (ubiquity supports ssl and ipsec) and you are golden.
Actually if you are running miners behind some NAT (in internal network behind router) - you don't need to worry about firewall I think
You may worry about china soft itself (inbound connections that cgminer make) - for example there are china pools hardcoded for sure
Just now ssh is just very very handy way to manage your miners remotely. And some insurance for cases when WebUI went down.
May be some more things and modifications will come in future (like nxsub support or fan control)