Just say no to VLANS

I would like to add my 2 cents.

First, Don't use VLAN's as your primary layer of security. It is
trivial step to hop onto other VLANs. If you do use VLAN's as part of
a layered solution make sure your public side net work is using VLAN
1. Since all flat (non VLAN) networks use a default VLAN1 then a
casual attacker wouldn't immediately suspect that VLANs are being used
as a security measure. However, if the wireless traffic is on VLAN 20
then you have tipped the attacker that you are using VLANs to segment
your traffic.

You will need an enterprise AP to do multiple SSIDs w/ VLAN tags. I'd
suggest an HP 420 access point. Great enterprise functionality... no
Cisco prices. :)

As for my suggestions.  Physically separate networks. PERIOD! Either
use an optional interface on a firewall and cable to the public AP
(ensuring the optional network has no access to the trusted), or buy a
second broadband connection and cable to the AP.

This may seem a bit extreme at first but without a full wireless
security solution then keep the public wireless off your network.

PS: Also if you do allow access via an optional firewall interface I'd
suggest to turn off port 25 traffic. If a spammer sits in your hotspot
and spams it is your IP that gets blacklisted.


--
tsudohnimh
www.knowthenetwork.com