Managed Switch questions (networking)

At work, a few weeks ago, we added a new network device. Instead of running another ethernet cable all the way out to where it was, I just put a switch out there to ‘split’ the one cable that was all ready at the location. Not only was that easier, it was also future-proofing, when we add more, the extra ports are there and ready to go.
At the same time I upgraded a another switch that was full from 8 ports to a 16 port switch, this way when we/as we get more network enabled devices, we’re not scrambling to find somewhere to plug them in and/or then doing some minor network upgrading.

After I did this, I noticed a major security hole in my network. It would be trivial for someone to bring a laptop into the building and plug it in (via ethernet cable) to one of the open ports or even attach a WAP to the switch I added on (it’s in a spot that’s not really visible).

FTR, I do use static IPs, but I recently turning on DHCP, because I have a few people that use (very few and very trusted) wireless devices (phones) and it was getting to be a PITA to program all the network info into their phones instead of just giving them the password.

Now, I’ve always been a huge fan of unmanaged switches. Plug them in and they just work. It’s like plugging a power strip into an outlet. It just works. No setting it up, no programming, no nothing. If there’s a problem with the network, the chances of it being with one of the (unmanaged) switches is nearly zero.

Now, with my realization of this security hole, not that I think anyone is going to breech it, but still, it got me thinking, I should probably find a way to turn off unused ports, and the answer seems to lie with managed switches.

So, my questions are:
Can I disable unused ports with a managed switch? It would appear that I can, but I’d like to be sure?

If I add another switch to one of the ports of the managed switch, it would also need to be managed as well, right? Maybe? Depends on the next question?

Even with disabled ports, someone could just unplug a cable and plug their device in? That means I’d have to use MAC filtering I think, but every device I’ve worked with has the ability to spoof the MAC address, so I guess the real question is: How do I keep unwanted devices off the network? In fact, that’s really the big question…how do I keep unwanted devices off my network? If I could do that, I’d be happy.

I’m reading about VLANs. Am I understanding correctly that if I setup a switch two have two VLANs, and, say, put a WAP on VLAN, people connected wirelessly will have zero access to anything on the other VLAN. Sort of like a guest network?

Does a managed switch act like a DHCP? If I use one, can I pull out my router?

Does a managed switch act like a firewall? Again, could I remove my router?
The managed switch I’m looking at does mention a firewall, but only in the sense that it was an access control list. ISTM, I’d have to get an actual firewall to go between the modem and the switch. Checking out (quickly) the manual for a switch, I may need a firewall (or actual router) for port forwarding as well.

A few things:
A)This is the switch I was looking at. Nothing special about it other than that I like Netgear, it’s got a good amout of ports and the price is right.
B)This is the firewall I found when I started thinking about it as I was typing this.
C)This isn’t happening any time soon, but someday I may need to do it and while I’m ‘good at computers’ and I can wire a network (and configure a router, blah blah blah etc), I’ve never dealt with a managed switch (or separate firewall and/or VPN/VLAN)

Also, why does the firewall have so many ports, is it meant to be a router also…it appears so, it would be nice it they just had a one port firewall. No need to (more or less) force me into having two DHCP servers when they know I’ll have to disable one of them…or cause headaches for people that don’t.

Need the modlel of the switch to answer some questions.

You should be able to disable unused ports on the switches. For Cisco switches the command at the interface level is shut.

You can add an unmanaged switch (or hub though hubs suck) off the managed switch.

Cisco has port security. Specifically switchport port-security mac-address sticky and violation shutdown will shut the port if it sees a different mac than the one originally plugged in.

Vlans separate traffic so ports on one vllan cannot talk to ports in another vlan unless there are routable interfaces for the vlans.

Some multi-layer switches have access-lists which can act like a firewall, depends on the model of switch. The netgear doesn’t mention access-lists. And access-lists do not alleviate the need for a firewall.

The netgear you linked to says it does vlan routing so it is a mult-ilayer switch. You wouldn’t need a router for devices attached the switch to talk to each other.

Dhcp comes on some switches, depends on the model. The netgear says dhcp clients, which on a list of features, is confusing and odd. I would guess it doesn’t have a dhcp server. The firewall does but dhcp servers can cause problems on networks if you aren’t careful.

Firewalls have mulitple ports because the firewall will have multiple security levels. Each interface gets a security level. The inside interface generally has level 100, dmz 50 and outside 0. Higher levels can talk to lower levels but for lower levels to talk to higher levels an access-list has to be defined for the interesting traffic.

If you are really worried about security, hire a pro. No offense meant, but with your description of your network I suspect open ports on your switches is the last thing you should be worried about.

Slee (Network admin, Cicso guy, storage master, builder of servers, A.D. shmuck, writer of firewall rules and reluctant ip phone guy and general install/configure/support dude)