The Importance of Ethernet Switches
Most advanced Ethernet switches can prevent unauthorized devices from connecting to the LAN. In addition, they provide ways to prevent ARP spoofing and MAC flooding attacks, and a way to analyze traffic transiting the switch.
Limitations of Ethernet Switches
The most significant limitation is that inexpensive switches do not provide the functionality stated above. In addition, Ethernet switches that operate at Layer 2 do not contain broadcasts. This means hosts on the LAN subnet can learn about the presence of one another, and that makes them easier to attack.
Vidder's Ethernet Switch Recommendations
Vidder recommends deploying intelligent Ethernet switches that support 802.1X and/or NAC to prevent unauthenticated devices from connecting to the network. The Ethernet switches should also be capable of preventing ARP spoofing and MAC flooding attacks. In addition, the switch should support remote port mirroring so that sysadmins with privileged access can capture and analyze traffic transiting the switch.
No matter what type of Ethernet switch is used, best practice dictates that unused ports in offices, conference rooms, and other locations be logically or physically disconnected from the network.