My understanding is that veras use an https tunnel back to the main servers for commands and uses ftp for log uploads. I seem to recall from another thread that while the UI7 events are sanitized, applications that write to the log could contain store data,so the use of FTP vs FTPS/SFTP can expose data in the clear.
And for some reason your map direction bothers me. I want the remote client to be the start of the chain as they initiate the connection.
I think you are possibly getting into deeper waters than you want to swim in. Going straight from hobbyist coder to freelance coder has a lot of pitfalls. You might want to consider an alternate platform that doesn't have default remote connectivity, like a Universal Devices ISY994 zwave controller. There is no remote connectivity unless you pay the annual fee for that feature, so the network security issues are less.