With all these potential threats and vulnerabilities, will huge numbers of VOIP users soon find themselves plagued by service interruptions and eavesdropping? To date, there have been no devastating, widely publicized attacks on enterprise VOIP systems. Why? Vendors and analysts offer several valid reasons.

Most newer enterprise VOIP solutions are closed systems in which packetized voice is running across the LAN only, and most external traffic is running across the PSTN via a gateway. "If you're running VOIP on the LAN only, it's relatively easy to get toll quality and maintain security," says Gartner's Fraley. Interoffice traffic is normally running on a protected office-to-office connection, so in many cases securing internal VOIP means hardening your call servers, switches, and gateways and protecting them with the right kinds of firewalls and IPS.

Vendors also recommend separating voice from data traffic on the LAN to protect it from malware, eavesdropping, and DoS attacks. Building a separate infrastructure for voice negates the cost benefits of VOIP. However, much of the same kind of protection comes with the 802.1Q features of your switches to put voice and data on separate VLANs, and protecting the intersection points between voice and data VLANs, such as the messaging server, with a voice-aware firewall and/or an IPS. In fact, Cisco offers a built-in IPS with recent versions of Call Manager.

"The right use of VLANs will also prevent casual VOIP snooping," says Farnsworth, adding that it becomes easier to target voice apps with appropriate security measures.

VOIP vendors and security experts say it's best to avoid softphones -- phone software that runs on a PC -- in favor of IP telephony handsets because softphones make it almost impossible to separate voice from data. Assigning an IP handset's IP address to its MAC (media access control) address is a good way to help thwart IP address spoofing. Several solutions use digital certificates for device and server authentication, and you can require passwords or PINs to access handsets. Key is encrypting voice-signaling data, VOIP management interactions, and, in high security environments, even voice streams.