In a VOIP world, must call control and media transport be handled differently in terms of security? What is each type of traffic prone to and what attacks can be launched against them?
Well, it's not obvious that these need to be fundamentally different.
Call controllers need to be isolated on their virtual LAN with services only supported or acknowledged from authenticated devices. This way, we can minimize the impact of Distributed Denial of Service attacks should they occur, since the boundary infrastructure, such as routers, or layer 3 switches, will be the bottleneck/chokepoint which should not affect the performance of the IP PBX services and users.
Also, intrusion prevention devices that enforce corporate anti-virus operational policies and can quickly respond to the scope of threat to the point of quarantining offending devices and ports. Clearly, this category of product is necessary for industry best practice in IP Telephony security.