Be carefull with that wireless access point.
Unless you're setting up a strong authentication / encryption scheme like WPA with Radius (and even then), it should live in a seperate (dmz like) segment on the firewall.

Also, depending on your resources ($), you might want to consider setting up vlans and using a layer 3 swtich (or vlan capable switch and a router) on the internal network to seperate your servers/ops/dev/lab zones into diffrent segments which you can then setup some basic ACLs on the router....

If you want to do IDS, make sure that your switches support mirroring (aka port spanning, port monitoring), ideally multiple port or vlan to one port.


Ammo