The truly paranoid may elect to use the 2.4 kernels' Netfilter4 facility (adding stateful packet filtering) or a commercial application-level proxy gateway.
But given what Qwest and Level 3 are spending to build smaller packet-switched businesses, he might easily be forced to accelerate spending at the same time that his margins erode.