Hi Deepak,
This is more of a BASIS person's job.
What is necessary here is that you mask your erec URL ...bc/webdynpro/sap/HRRCF*.
To mask your URl's you can use the HTTPURLLOC table if you have reverse proxy capabilities on your dispatcher.
So, the end user will see a different URL than the original one.
However, I know of many customers from different implementations who are exposing the e-rec URL's directly to the internet and i don't remember of any security concerns/issues.
All the best.
Regards,
Varun