Lock all that's not trusted
Running a VoIP server gives you many concerns: Service to your users must not be disrupted by malicious attackers, your (paid) connection to ITSPs must not be hijacked or otherwise exploited by third parties, and conversations of your legitimate users must remain private and confidential. Consider all that's not from your own LAN as hostile. This seemingly paranoid attitude will be your friend, and each time you'll hear about breaches into someone else's telephony system you'll pat yourself on the back.
If you allow SIP devices to register to FreeSWITCH from outside your LAN, use a VPN or TLS Certificate. Nothing else. Not even 16 character passwords. They'll be almost in the clear. Beware: Allowing plain SIP registration from outside your LAN is a highway to toll fraud.
Connect to your ITSP via VPN or TLS if possible, and in any case activate IP authentication (ITSP will accept traffic only from your FreeSWITCH server at your IP address).
Set your firewall to open...
