Many fundamentals of securing your IP PBX parallel the basics common to safeguarding your data networks:
Password-protect everything. A password should be required for users to access their phones every morning, regardless of whether those phones are physical devices on desks or a software package on computers. Open access to an account could allow tampering with the user database. Some vendors, such as AltiGen Communications and Siemens, are looking to help here. AltiGen's IP PBX systems won't let common strings, like 123456, be used, and they don't accept extension numbers as part of passwords. With its HiPath line, Siemens goes a step beyond passwords for authentication, enabling the use of biometrics and smartcards (see w4.siemens.de/networks/hipath/index.htm). While biometric devices aren't invulnerable to attack, the technology is improving, whereas a password will always be a password.
Users should be forced to change their passwords often, and your IP PBX should be configured to deny access to a mailbox after a certain number of incorrect tries.
Guard against DoS attacks. The denial-of-service attacks that have hit corporate data networks over the past few years can also affect your IP PBX. The first line of defense should be your corporate firewall, but you should also stay on top of vendor patches for the IP PBX's underlying OS.
Virus protection is not just for the desktop. Any IP PBX that runs an off-the-shelf OS, such as Microsoft Windows NT and 2000, should be loaded with the virus protection software of your choice. Although some PBX vendors, such as AltiGen, ship complete turnkey systems, they often leave virus protection software to the users' discretion.