To extend this further I have even seen suggestions of using SSH Tunneling as yet another layer but this can be counter productive as with a VPN and a good firewall you can lock down the ports that are open within the VPN tunnel (ie only SSL) but if you allow ssh port forwarding you have less control (counter anguments welcome as I would love to be able to lock down port forwarding under SSH).

A good VPN tunnel should thave 3DES encription or stronger with Dynamic keys. These rules and tunnels are a pain to set up but worth it in the long term.

Another thing you can do while locking down MAC address at the AP is allocate each a fixed IP which sometimes helps if you want to setup Bidirectional VPNs. This is nice if your software needs to be able to push from the server rather requiring the data to be pulled from the client or even if you want to SSH onto the client machine to upgrade the software.

Don't just look at the server side of security locking down the client is as important as locking down the server. If I hack the client and get it to spool data to a file and then email me that file....

And for the ultra paranoid that can afford it a nice firewall between your web server and database server can help a lot.

Making Wireless LAN Security Air Tight is an interesting read. location-based services has some interesting points in relation to this also

Homeland security waiting for Wi-Fi might be of interest. also Wi-Fi gets a security boost contains more info on WFA a more secure version of WEP

Hope that ramble helped
UnderMine

Update: Added client side issues

Update: Added report link

Update: Added new security realted report link

Update: Added WFA report link