1.) Fast path works on forwarding packets, the services work on the input chain, so securing them via firewall should not affect fast path performance.
2.) You can dissable unwanted services running on the router, and you can also change the port they listen to to obscure thingts a bit more.
The only approach I can think of is the following. Allocate one interface for management purposes only, and connect it to your trusted (protected) network. Then configure winbox, ssh and other services you need to listen on this management interface only.