> VLANs are the not answer. They reduce the collision domain and provide
> the ability to significantly increase port density in large networks.
> Any one can use packet rewriting software to insert the appropriate
> vlan tags/sniff from the wire.
I'm just starting to look at VLANs, so perhaps this is naive, but isn't that
true only in the case of MAC-based VLAN membership? Without having actually
tried it yet, it seems to me that a port-based VLAN wouldn't be subject to
an ARP poisoning attack, as long as the attacker is on a different VLAN.
Please be gentle with me if I'm wrong ;-)
Having said that, I agree completely that wireless should never be on the
LAN segment; I always put it on an isolated NIC, and require a VPN
connection to the m0n0wall, in addition to WEP/WPA/WPA2 . Since he can't
have more than three NICs (LAN, WAN, DMZ), couldn't he put the wireless in
the DMZ, on a different, port-based VLAN?