Many fundamentals of securing your IP PBX parallel the basics common to safeguarding your data networks:
Password-protect everything. A password should be required for users to access their phones every morning, regardless of whether those phones are physical devices on desks or a software package on computers. Open access to an account could allow tampering with the user database. Some vendors, such as AltiGen Communications and Siemens, are looking to help here. AltiGen's IP PBX systems won't let common strings, like 123456, be used, and they don't accept extension numbers as part of passwords. With its HiPath line, Siemens goes a step beyond passwords for authentication, enabling the use of biometrics and smartcards (see w4.siemens.de/networks/hipath/index.htm). While biometric devices aren't invulnerable to attack, the technology is improving, whereas a password will always be a password.
Users should be forced to change their passwords often, and your IP PBX should be configured to deny access to a mailbox after a certain number of incorrect tries.
Make sure users log off when they leave. Getting employees to comply is tough, but they must log off their desktop IP phones. For software-based IP phones, that's as simple as making sure computers are turned off every night. Remind users that if they don't log off and a member of the cleaning crew decides to make a long-distance call to South America, that call will be billed to the employee's departmental account. If, despite your best efforts, your users forget to log off their phones, outgoing call blocks can be set up from the PBX during evening hours or on weekends. Most vendors don't build systems to automatically log users out because, beyond being seen as a nuisance by workers, in case of an emergency you want employees to have easy access to outside assistance.
Guard against DoS attacks. The denial-of-service attacks that have hit corporate data networks over the past few years can also affect your IP PBX. The first line of defense should be your corporate firewall, but you should also stay on top of vendor patches for the IP PBX's underlying OS.
Virus protection is not just for the desktop. Any IP PBX that runs an off-the-shelf OS, such as Microsoft Windows NT and 2000, should be loaded with the virus protection software of your choice. Although some PBX vendors, such as AltiGen, ship complete turnkey systems, they often leave virus protection software to the users' discretion.