All Valid points.
So in order of preference:
1. Don't open a public SIP port to the internet
2. If you need Voip on the move, prefer using a VPN so you are not exposing a public Voip port
3. If you have to open a port, open a non standard SIP port
4. Get really paranoid - add good logging, call reporting, a good password policy, and the firewall (as discussed separately in detail)
For everybody - option 4 comes with risk and should be avoided where possible as you are opening yourself to being hacked. A firewall is only part of what you need (imagine someone uses the same password and username on a site that gets hacked and that can be leveraged to get access to your system to make unlimited calls). Assume that you are making yourself a target, assume that you WILL get a breach and how you will minimise it, and work from there.