We have a PBX server at work which consists of Ubuntu with Asterisk and FreePBX. As for now the box isnt exposed to the Internet so that side of the security we have covered, the physical security is our biggest issue. I mean we dont want someone waiting in our lobby unattended to unplug the phone and hook up his laptop and have access to our network. Now while we do have a firewall between the voice and data network we took it a step further by using MAC filtering on both the firewall and on the PBX server it self. We also put PWs on the extensions to prevent someone from routing calls that way.