If your devices support it, use SIP over TLS rather than UDP.
Otherwise, if possible, use SIP over TCP.
Regardless of the protocol chosen, select a random port between 20000 and 50000, instead of 5060.
If you are forced to use UDP, set up iptables to filter by domain name.
If that is also infeasible, set up the firewall to allow only small address ranges that cover your extensions.