Network security should be applied to all seven layers of the OSI model; however, this chapter discussed network security from a Layer 2 (data link layer) perspective. Some basic rules to keep in mind when setting up a secure Layer 2 switch-based network include the following:
VLANs should be set up so that they clearly separate logical components of your network.
VLANs are based on the level of security each VLAN requires.
If any switch ports are not being used, these ports should be placed in a VLAN designed to collect these unused ports.
Using port security on your switch as a security mechanism provides a level of security because port security is based on permitted and denied MAC addresses. Because a MAC address is a hardware address, it lends itself to being a type of physical separation for your network. This differs from using VLANs, which provide more of a logical security for your network. Physical security for your network can be achieved by locking your wiring closets and preventing physical access to your network equipment.
VLANs use logical separation of network components to achieve a level of security in your network. Because VLANs are organized by assigned groups, any host that is not a member of the VLAN is denied access to any of that VLAN's resources. The switch will not recognize that host as part of that VLAN because you did not configure the VLAN to recognize that host.
Port security and VLANs are each susceptible to certain types of network attacks; when used together, however, each provides a level of network security that complements the other. No matter what your comfort level concerning network security, remember that you must take whatever precautions available to protect your network, its resources, and its users from threats both inside and outside your network.