We're left with the question: How do you secure your WLAN?

If you are starting from scratch and have no legacy equipment to contend with, the answer is to use WPA with 802.1X authentication and plan a migration to 802.11i when equipment becomes readily available.

You won't pay a premium to use 802.1X. It's free and built into Windows XP and Apple's Mac OS/X. Picking gear that supports 802.1X and WPA is just a matter of looking for the Wi-Fi Alliance WPA-Enterprise sticker. You'll also need a RADIUS server that supports 802.1X authentication.

As an alternative to WLAN-based encryption that WPA and 802.11i offer, you can use IPSec, especially if your network includes a strong IPSec remote-access solution.

From a security standpoint, IPSec offers a stronger model than WPA, but the differences are unlikely to be applicable to anyone outside the military. IPSec also has its own costs, mainly tunneling overhead could cause performance problems in a high-speed environment.

You also can layer a simple VPN protocol, such as Point-to-Point Tunneling Protocol (PPTP), on top of your wireless connections that only support WEP natively. The benefits of PPTP (or any VPN protocol) over simple WEP are authentication and a second layer of encryption. PPTP has a much weaker security model than IPSec, but has been very well supported in all laptop operating systems for more than five years. The likelihood you'll find a device that cannot do WEP plus PPTP is fairly low. The alternatives, such as pure IPSec or IPSec over Layer 2 Tunneling Protocol, are attractive from a security point of view, but not from an interoperability and ease-of-use point of view.

An issue that spans both LAN-based wireless encryption and tunneled VPN deployments is the need to support legacy equipment. There are millions of wireless cards that barely can handle WEP, and have little or no hope of supporting a more sophisticated authentication protocol such as 802.1X.