We introduce a new technique for providing security in a broadcast-and-select, wavelength-division-multiplexed (WDM) optical network. The approach provides privacy of communications by employing a novel challenge-response scheme and exploiting the tuning delay inherent in optical receivers. The proposed technique can be integrated easily into any existing WDM media-access-control (MAC) protocol that employs tunable receivers. The modified protocol would require every idle user, who is not scheduled to receive data, to tune in to a channel that does not contain sensitive data. A violation of the protocol can be detected with very high probability, and appropriate measures can be taken against the violator. The technique provides features that cannot be achieved with cryptography alone. Significant benefits of the proposed approach include the ability to detect security violations as they occur, and an efficient mechanism to provide privacy for multicast transmissions. We develop two simple solutions to deal with different levels of attack: (1) eavesdroppers working alone, and (2) eavesdroppers working in collaboration. We also introduce a dynamic channel allocation scheme that can further reduce the number of required overhead channels, with minimal loss in the capability to detect eavesdropping violations.