A firewall is the way to handle the issue you are describing.
If you put the device behind a firewall, on a DMZ, and only allow the necessary protocol(s) from the Internet to the device, and then the same from your internal LAN. Use NAT to translate the Internet IP to the private IP on the DMZ. Put rules in place to only allow the connection to initiate from the trusted LAN to the DMZ and not vice versa, then even if the device is compromised, it can not make connection to your LAN.
That is how most Internet facing systems are configured to be safest. A server is much more likely to be compromised than a specialist DVR, so the vulnerabilities are likely to be lower. If this is a PC running DVR software, make sure it is only running services that are necessary to it’s correct operation, and run a regular (daily at the least) check to make sure it is ‘clean’.
If you take these precautions, then it should be as safe as it can be.