The previous answer is both right and wrong. Switches have come a long way and some standard Cisco switches have SOME security features. There are switches out there called Layer Three Switches. These have most features of a router like a firewall etc..... Only difference is that a Layer Three Switch doesn't have a routing table to know where the other routers are. Pretty deep answer for a simple question but I hope u learn something though. :-)

2

Simple un-managed switches in consumer electronics stores have no security. They have no support for virtual local area networks (VLANs). 802.1q VLAN tags may not successfully pass through an unmanaged switch. Simple switches may suffer a MAC address flood attack so all traffic is seen on all ports.



The four LAN ports found in many home routers constitute a switch, but this may have some minimal management in the router configuration, such as configuring quality of service.



Managed switches separate traffic using VLANs. These switches have at least two types of security -- management and connected-device. Standalone switches provide minimal security. As part of a larger network management architecture, they provide extensive security.



Management security protects the management of the switch from unauthorized access and changes and uses the same elements found on any managed network device -- local or centralized authentication of administrative users; logging of events to remote logging servers; separation of the control plane functions from the data plane functions; separate network for management; encryption of administrative traffic.



Connected-device security protects the switch and the overall network by restricting connections to allowed devices and traffic. Some elements include:

--Enabled or disabled ports. An ethernet jack in an office may be connected to a switch, but left in a disabled state until the switch configuration is modified to enable the port. A management system can enable and disable ports on a regular schedule, such as classroom ports enabled during school hours.

--Restriction on MAC address or number of MAC addresses. As on a home wireless router, a managed switch can restrict a port to a specific MAC address or only allow one or two MAC addresses at a time. This discourages extending the network with unauthorized network equipment and some network attacks.

--Rate limits. Some managed switches can limit ports to XX megabits/second to prevent a single connection from hogging the local network.

--Require authorization to connect. Similar to captive portals on public wireless systems, you may get network connectivity but you cannot get anywhere until you supply authorization credentials. This usually requires an overall network management system to work. The buzzword is '802.1x authentication'

--Require certain clients and certain software. Called something like 'Network Admittance Control', this often works with '802.1x authentication' and software installed on your client computer. You need valid login credentials, a software agent installed, and the software agent must successfully report you have up-to-date anti-virus and firewall software installed and working. You need all of this before your traffic is allowed past the local gateway.

--Restricting types of traffic. This is usualy low-level traffic, such as acting as a DHCP server, spoofing traffic from another VLAN, spoofing as the router for the network, setting up multicasts, etc. This is not restricting traffic to specific web sites, which is usually performed by a higher-level device like a router, firewall, or internet gateway like a proxy server. However, a switch may work with an overall network management system to restrict or cut off an ethernet port if it's associated with higher-level prohibited traffic.

Network switches have no security.



Routers often have firewalls and filters.