physical network security covers things like locking your servers up so people cannot directly interface with them. Logical network security covers things like ensuring that multiple policies do not contradict or create circular arguments. The latter is generally solved by using a policy of worst-scenario. ie. if anything say DENY, then you DENY and disregard any other policy however important.