You definitely want to use wireless APs, not wireless routers. Use your Ethernet switches to connect all APs to...
a single subnet that you will designate for wireless stations. Place an access controller between this wireless subnet and your existing wired subnet. That device can be a traditional dual Ethernet firewall, a WLAN server from the likes of Bluesocket or Vernier Networks, or a WLAN switch from a company like Airespace or Trapeze Networks. This device will protect your wired network from wireless intrusion by authenticating WLAN users and enforcing policies that determine what they can access.
In addition, you should enable security features on your APs. Newer business-grade APs support WPA for link encryption and integrity, combined with 802.1X for port access control and dynamic key delivery. Residential/SMB APs are also starting to support WPA, but are typically used with WPA-PSK (WPA with a preshared key). If you don't have an 802.1X-capable RADIUS server, use WPA-PSK. If you have a RADIUS server that you want to use to authenticate WLAN users, you can benefit from using 802.1X instead. WPA requires support from your AP and all stations. If all your stations run Windows XP and you choose wireless cards that support WPA, then try using WPA from the start. If some of your stations run other operating systems or you must support multi-vendor cards without WPA, then get started with WEP first, upgrade to WPA later. To learn more about WPA, see the Wi-Fi Alliance Web site. You may also be interested in reading my primer on 802.1X.
WPA and WEP secure the wireless link and should be used no matter what kind of access control you place between your APs and wired network. WEP is often used with MAC access control lists; this can be helpful to keep outsiders from associating with your APs. However, MAC addresses are easily forged; all an intruder needs to do is sniff the air for legitimate traffic and "borrow" another station's address. So you shouldn't depend on MAC filters alone for WLAN access control. 802.1X raises the bar by allowing user authentication as part of AP access control. Only stations that authenticate get dynamic encryption keys and can access the network behind the AP. 802.1X and related authentication standards are still being refined, but is already a lot stronger than using MAC filters.
I do recommend using an access controller behind your APs, even if you use WPA. WPA with either PSK or 802.1X provides all-or-nothing access to your network. An access controller gives you more granular control over destinations, protocols, bandwidth, etc, at a single point of entry into your wired network. You will not have to depend on the security of any individual AP to protect your wired network, and you can manage, monitor, and log access at one point. WLAN servers and switches offer additional features, like facilitating mobility when stations roam or load-balancing traffic across multiple APs. Features vary, but I recommend that you take at a quick look at what these offer before you decide on your WLAN architecture. You COULD use only APs, connecting them directly into your wired network's switching fabric, but this would be risky without hardened APs and robust access controls.
Dig Deeper on Enterprise mobility strategy and policy
Related Q&A from Lisa Phifer
As the remote workforce increases, network managers and users might opt to set up two concurrent VPN connections from the same remote device. But ... Continue Reading
Is there a difference between a wireless access point vs. a router? Yes -- while the two wireless devices are related, they meet different needs in a... Continue Reading
Learn the differences between site-to-site VPNs vs. remote-access VPNs and find out about the protocols, benefits and the data security methods used ... Continue Reading