NIST has released a draft of Special Publication 800-58 covering security considerations for Voice over IP (VoIP) Systems.
Being over 90 pages in length I will not regurgitate the contents here, but will make the point that its good to see them actually completely thinking it through. I particularly liked seeing that they spent more time assessing the threats of VoIP… and coming to such good realizations such as the fact special considerations should be given to E-911 emergency services comms over VoIP, because E-911 automatic location service is not available with VOIP in most cases. (A very important tool needed in the 911 system if you ask me)
I quite enjoyed more of the end of the document when they profile the attack vectors and give some recommendations on how to defend against it. I would be interested to see what sort of threat modelling they used to come to some of these realizations, as I wasn't aware that similar to ARP cache vulnerabilities there exists the potential of a IP Phone netmask vulnerability by assigning a subnet mask and router address to the phone crafted to cause most or all of the packets in transit to be sent to an attacker's MAC address. Combine that with some funky IP forwarding this would be undetectable and become a passive tap for an attacker or even for law enforcement.
Anyways, its an interesting read if you are considering the security of a VoIP deployment . Enjoy. [Dana Epp's ramblings at the Sanctuary]