How reliable are IP address-based firewall restrictions?
Solution 1:
As others have said spoofing a TCP conection is not easy - but still possible. Firewalls help - but don't address the fundamental issue. Authentication is good but only if it is intrinsically secure - hence I'd suggest you consider a VPN. This solves a lot of problems over what acces you want to expose remotely (only a single port for a tunnelling vpn) via whichyou can selectively and securely expose as much as you want without having to worry about the services implementing insecure protocols.
Solution 2:
Successfully launching spoofed IP attacks are quite difficult. The continued popularity of firewalls suggest its continued applicability and relevance. However, one important point I want to make is to point out the two different firewall types: stateful and stateless. Stateful firewalls generally provide more security because of its ability to keep track of sessions. Stateless firewalls, though they still provide some additional measure of control, can be more easily thwarted. The attack scenario is if there's a vulnerability with a service that can be exploited without establishing full connectivity. Such attacks are less common today, but may still exist.
The only way an attacker could launch a spoofed IP attack is if they had access to your provider's network or access to the physical network between you and your provider. In which case, the attacker can easily spoof their IP and receive return traffic. Many people overlook physical security since only the more determined and skilled attacker would carry out such an attack, but it is still possible and some organizations, especially smaller companies, are quite susceptible to it.
Solution 3:
It's relatively hard to spoof an IP (depends on the (attackers) ISP and their filtering), and a lot harder to make even a TCP handshake with a spoofed IP.
Having a login screen with username/password is nice. But it doesn't prevent brute-force attacks, etc. It's like a door lock - with enough time and will/power, it can be broken into. Having a firewall is just another layer of protection (a very good one in this case), which doesn't allow an attacker to even start brute-forcing.
Most random-target attackers do a port-scan first, find open ports, check vulnerable services, and then attack with appropriate exploits. If your firewall drops all packets, your RDP port would appear closed to an attacker, so even if your RDP is/will be vulnerable, the attacker will not know it is running and will not try to attack it (even if he did, the firewall would block all attempts).
So I would definitely go with a firewall in your case.
Even if possible, the attacker would have to guess the right IP, and the right username/password combination. And that only if he/she could find the RDP, since it would be hidden behind the firewall.