In general I would not recommend an FTP site. They are notoriously pourly secured and there is more than a good chance you could leak your information. If it is just pictures and music, you might want to consider a DLNA server software that has web capabilities like Serviio. I am not familiar with the NAS and whether you can install software on it or not. Serviio is java based (so as long as the NAS has a JVM you can run it) but I use it at home to server up all my media, plus it provides a netflicks like web interface (with user authentication) you can use to provide streaming access over the web (for outside your wifi/internal network). If you just need read access to the information, I would set it up as a http server (if serviio is not an option). Note this would not provide streaming but would provide read/viewing of files. For transferring files in, you are better off using an application that can stream them over ssh connections. I do not allow these connections to take place on my system so I can not comment too much about the remote client putting data on the server.
For securing, the number one place is your internet router/wifi router. If you have a Comcast rented modem it would be that device (or similar from other vendors). If it is just a modem (I have a Motorola cable modem) it pipes into a router which I secure by locking down all ports except those I want to come in. For those ports, only allow them to go a specific destination IP / service (ie. port 9000 is mapped to port 80 on 192.168.0.25 on my internal network). Other than ssh and http I do not open any ports to the outside world. Since my server behind that firewall is running Linux you need to keep it up to date with patches etc. That also has a software firewall which only allows internal IPs to access other services/ports on that box (like the DLNA server Serviio, my database, subversion code repository etc.) finally for the one outside port (SSH) I only allow a single user access (who is not the root admin) and regularly change their password to ensure I don't get hacked. I also will lock out remote access after three unsuccessful attempts.
Paranoid... maybe... but with nearly 15TB of data (of which almost 1 is my personal data + source code etc. why wouldn't I be)