[ previous ] [ next ] [ threads ]
 From:  Claude Morin <klodefactor at gmail dot com>
 To:  =?WINDOWS-1252?B?lSCV?= <googl3meister at gmail dot com>
 Cc:  thomas at sprinzing dot org, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] VLAN woes
 Date:  Wed, 29 Jun 2005 11:25:22 -0400
On 6/28/05,   <googl3meister at gmail dot com> wrote:
> VLANs are the not answer. They reduce the collision domain and provide
> the ability to significantly increase port density in large networks.
> Any one can use packet rewriting software to insert the appropriate
> vlan tags/sniff from the wire.

I'm just starting to look at VLANs, so perhaps this is naive, but isn't that 
true only in the case of MAC-based VLAN membership? Without having actually 
tried it yet, it seems to me that a port-based VLAN wouldn't be subject to 
an ARP poisoning attack, as long as the attacker is on a different VLAN. 
Please be gentle with me if I'm wrong ;-)

Having said that, I agree completely that wireless should never be on the 
LAN segment; I always put it on an isolated NIC, and require a VPN 
connection to the m0n0wall, in addition to WEP/WPA/WPA2 . Since he can't 
have more than three NICs (LAN, WAN, DMZ), couldn't he put the wireless in 
the DMZ, on a different, port-based VLAN?