is 32bit based, and doesn't have any physical security itself (password lockdown, hashing,etc). It runs (typically) with the local system account (Microsoft), so cracking that would be tough in itself. The client communicates typically via http but can be done via https as well.
There is a good article here (by Screenbert) on how to secure agents via AD Group Policy, but I'm not sure this would apply to servers in the DMZ.
You may consider a whitelisting approach, Savant makes a good product that integrates with Altiris, but again, how useful this would be to servers in a DMZ, I can't say.