Just to add to the discussion here, what Joshua has said was correct and substantial, but what you should also know is that no matter what way you connect your systems to the internet, you should know there will ALWAYS be some risk. How much risk is up to you and your client(s).
There are varying degrees of risk involved:
1) The worst case scenario is your entire DVR is open to the internet with no firewall, using a public IP. You can rest assured this almost never happens in the real world, or it least it shouldn't ever happen.
2) The next worst scenario has the DVR behind a firewall physically, but in a DMZ outside of the internal network, which in effect is the same as above, naked to the internet.
3) Moving up the security levels one step would be keeping the DVR behind the firewall, but opening all of the default ports set by the manufacturer for the given DVR. For all intents, this is not much more secure than above, except you may get lucky and not intentionally allow unknown ports to be used (SSH, TFTP, etc).
4) The next level up in security would be to do as you have said here, change the default port numbers, but still leave them open. This will make it a little more of a challenge for an attacker to find your device and a little more difficult to determine it's manufacturer, but it really isn't any more secure in reality. If an attacker really wants to know what is on your network, they will use a port scan to find open firewall ports and knock on the devices to see who's there. Device info is easy to find most of the time.
5) The next level up would be to use a secure VPN connection, as Joshua has said above, to connect to your network. The VPN still has an open port, but hope is that the device hosting the VPN server is more secure than your DVR. This can prove to be a false hope if your VPN server is also insecure or has vulnerabilities. You have to ensure that the VPN server is indeed secure.
6) Above level 5, you will no longer have open firewall ports for outsiders to attack through. Some manufacturers offer some sort of P2P or cloud based service to access your devices without needing to open firewall ports. You are relying on these manufacturers to keep these connections secure for you. While I have yet to have heard of any vulnerabilities with any of these P2P/cloud offerings, it is surely likely at some point in the future, one will happen. Give an attacker enough time and he will find a way in.
7) Going above the security of your manufacturer will require 3rd party, more IT-centric services. This level, you will use a remote desktop service, such as LogMeIn, TeamViewer, Splashtop (my personal favorite), etc. to log into a PC inside of the firewall where you can now view your cameras via the PC, be it through a thick client, a web browser, etc. This method is only as secure as the service you choose. Some services have had vulnerabilities in the past, but they are generally fixed very fast, as these services are relied upon by a vast number of professional users.
8) In this step you are taking the DVR off the internet facing network entirely. This does not mean you cannot have outside access, but you will need a bridge device to get to the DVR. In this scenario, you have a PC with two network cards; one in a network connected to the internet, and a second in a closed network where only your DVR exists. This essentially air gaps your DVR. The only way to access the DVR is the one PC that has a connection in this closed network. You can apply level 7 remote access to this PC so outside access is still available, but no direct access to the DVR is possible now.
9) This is the last step, which is simply unplugging the network cable from the DVR, essentially making the system 100% detached from any network. This is a drastic step and should only be considered in the most extreme cases. While this ensures that the device is impossible to access from the outside, it doesn't prevent someone from sitting down at the DVR and doing damage. This is where physical security is also an essential part of your plan to secure these devices.