said by mackey:I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900.
Security through obscurity... The SSH route is the best way to go. Additionally, SSH will provide the end user with some other valuable perks such as SFTP/SCP for file transfers. Additionally, you can use SSHD as a SOCKS proxy, effectively giving you a VPN for anything else.
You will get a lot of drive-bys on SSH -- probably more than you would with VNC.. But properly secured with public key authentication and password authentication disabled, you'd have a very secure system.