Security of multiple VLANs and WiFi

Archived from groups: comp.dcom.lans.ethernet (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In the following configuration,

[x]-----O-------O
switch WAP station

the switch supports multiple VLANs per segment and the Wireless Access
Point is an Apple Airport Extreme. At first glance, my impression is
that the WAP is not capable of routing, but I have not confirmed this.

It seems to me that I could obtain better security if I were to place
the WAP in one VLAN and the station in another (which grabs its IP
address from a DHCP server behind the switch). My reasoning is that I
could place the WAP inside a firewalled VLAN and allow management access
only to that VLAN.

I'm not terribly familiar with the way WAPs work (they're essentially
bridges, correct?), so I'm curious to know if such a configuration would
actually work, if indeed the WAP is *not* a router.

Moreover, I have to wonder if this design would actually result in the
security I'm after. Couldn't an attacker simply sniff the segment
between the WAP and the station(s), including traffic on the opposite
VLAN to which they are connected?

- --
Anthony Chavez http://anthonychavez.org/
mailto:acc@anthonychavez.org jabber:acc@jabber.anthonychavez.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)

iD8DBQFCJ4dzbZTbIaRBRXERAr2SAJ42rQmh/bXgfYCnVRRyWWw81OjDngCeMIrm
zxSQ63lh2BIUBvchC7jVej4=
=CkEy
-----END PGP SIGNATURE-----