How do you secure a network?

[RoganDawes]

The trick is to do a proper threat model, and then put controls in place to address the threats identified.

i.e. if your threat model identifies physical access to the network point, then your controls should include things like alerting if the device goes offline for any reason, performing 802.1x authentication of the devices (although that is not secure against a man in the middle attack when the MITM allows the legitimate device to authenticate to the switch, and then simply takes over the MAC address of the legitimate device). The controls should also include limiting what you can do with simple access to a network point. i.e. segregated networks, firewalling (limiting the services that are reachable), SSL (transport protection of legitimate traffic to prevent a MITM stealing credentials), etc, etc, etc

 

[syntax]

Security is done in layers. There is almost no chance you can secure your network using a single technique or device.
It is also a cost vs risk thing, plugging up holes costs money, the tighter you want things, the more time, effort and money it will cost you.
Eventually you get to a point where the risk doesnt warrant the money spent on security.

Many of the things you can do have been suggested already,
authentication, network segregation / segmentation can appear to be easy, but even these two items can be done in more complicated and difficult ways.

For example, you can authenticate using a pre-shared key, to a radius / central structure using a username and password, using a certificate, authenticating the machine or a combination of these. Authentication can even be done via device profiling and querying.
Segmentation can be done using simple VLANS, security appliances and again combinations of these with some kind of NAC device.

In the end, your security strategy will be based on the risk, the current equipment capabilities and the cost/budget