A good VPN tunnel should thave 3DES encription or stronger with Dynamic keys. These rules and tunnels are a pain to set up but worth it in the long term.

Another thing you can do while locking down MAC address at the AP is allocate each a fixed IP which sometimes helps if you want to setup Bidirectional VPNs. This is nice if your software needs to be able to push from the server rather requiring the data to be pulled from the client or even if you want to SSH onto the client machine to upgrade the software.

Don't just look at the server side of security locking down the client is as important as locking down the server. If I hack the client and get it to spool data to a file and then email me that file....

And for the ultra paranoid that can afford it a nice firewall between your web server and database server can help a lot.

Making Wireless LAN Security Air Tight is an interesting read. location-based services has some interesting points in relation to this also

Homeland security waiting for Wi-Fi might be of interest. also Wi-Fi gets a security boost contains more info on WFA a more secure version of WEP

Hope that ramble helped
UnderMine

Update: Added client side issues

Update: Added report link

Update: Added new security realted report link

Update: Added WFA report link

Like you said use WEP.

I wouldn't bother with WEP at all. Like you said, it's broken, and can only serve to give the illusion of security.

Lock down the AP to MAC addresses that should be allowed on the network.

I'm not a big fan of restricting by MAC addresses. An attacker can just sniff your network for a while to figure out what MAC addresses are being allowed and then change the MAC address on their own card.

In addition to WEP (which is breakable) use a VPN solution from client to the Firewall. PTPP or IPSEC clients and servers are fairly available for most platforms.

Now we're getting somewhere. VPN, IPSec, and SSH tunnelling are probably the only good ways to secure a wireless network.

I've also heard of a project that, using two or more anttenas, it triangulates the position of a client on the wireless network. This allows you to restrict people on your network by their physical location. (Sorry, I heard about this from a LUG meeting, so I don't have a link. The theory is sound, though.)

I suggest using WEP because it will add a hurdle to a possible attack, even with 40bit WEP it can take quite a while to gather enough weak packets to break the key. Most APs have updates that lower the amount of weak packets that are generated. MAC address filtering on the AP only makes the solution more secure by requiring the attacker (after breaking WEP) to _see_ an active client bound to the AP to know its MAC, It adds a small step but for little amount of work it takes to set up it is worth it IMHO. As far as triangulation of the client I have seen some demos and logic behind it but I am not sure that that would fit in with the original poster's concept of "outside the building" =)

I guess my bottom line is:
Make as many hurdles for an attacker to jump over as possible -- With the items I suggested all in place the three "weakest links" in the whole picture are the laptop being used as the client, the person with the password using the laptop, and the physical server.

-Waswas