I am not sure if this suggestion is good. But anyway ...
I would use ejb-client jar file that contains the classes that your clients (your jsf) are allowed to use in this case the interface for your service bean. In this way your clients do not have the classes/interfaces for your dao EJBs. In addition, I would make the DAO EJB a local bean to reduce accidental access to the dao.
This would not make it impossible to call the dao from your clients, but it would certainly be difficult.