I've learned that VLAN is actually the only secure way to separate host from each other in a network.
My problem is that I have only a simple ZyXEL NBG6616 and a Unmanaged Desktop Switch # DGS‑1008D, so wired VLANs are not that practical.
MAC Filter on WiFi and hidden SSID aren't really a security improving measurement as described in:
- Does MAC Address Filtering Really Protect Your WiFi
- Why You Shouldn’t Use MAC Address Filtering On Your Wi-Fi Router
- Advice needed about Wifi Security
but setting up wireless VLANs and strong passwords is not that much of big deal.
It is different when it comes to LAN, you find discussions like
- Can I add MAC filtering for LAN (wired) connection?
- How to Block Device on OpenWRT Based on MAC Address
but still, it looks like that you even can sniff MAC in LAN MACs within a LAN and soon as you have access to a connected host, you can easily figure out the MAC.
There is the discussion Is there any way to filter packets between two machines in same lan? but is still answers the question 100%.
So how do I prevent someone to breach network as soon a host is hooked up to an open port on the switch?