Security controls by OSI layer: L1 (physical locks), L2 (VLANs, 802.1X, port security), L3 (firewalls, IPSec, routing ACLs), L4 (stateful firewalls, TCP inspection), L7 (WAF, DLP, application controls).
Attackers target all layers — defense in depth addresses each layer. A WAF at L7 doesn't protect against L2 ARP poisoning. Network segmentation (L2/L3) doesn't stop application-layer attacks. Each layer needs appropriate controls.