Answer some questions before making decisions:
- what authentication types and ciphers are supported by your client devices. Only here you'll find what you *can* implement. If there are WLAN print servers only capable of WEP40...
- what is a appropiate security level of your wired lan, or is there
security level on the wired side. If the cleaning woman can plug a notebook with ethereal into your network you don't need to bother much about *wireless*
- WPA is widely available and there is absolutely no concern about TKIP. The RC4 cipher is ok if there is enough randomness of the IV. WEP was broken by the lack of randomness of the IV.
- Using dynamic keys via EAP-something is usually a good practice, you have a good central monitoring of whom has used the network at your RADIUS. Changing the WEP keys on 20 or 50 AP's can be done in minutes or few hours. But days to weeks on different client devices.
- PEAP/LEAP/TTLS are usually much easier to deploy and give the same level of security. The weak point is not only cryptography, usually the weak point sits between terminal and chair. With TLS you'll run into the user calling the help desk "Done nothing, worked yesterday" and the user is right!!! Certifcate has expired and cannot be renewed because there is no network connection to get the new one from your CA server.
- There must be a strategy of recognizing rogue APs. There are products that can help you, but your security concept is *always* the most important part of the solution. You cannot "buy" security without the cost of supervising the rules.
- There is no 100% security warranty. But if your house is better secured than your neighbour, the burglar will went into your neighbour's house. There are reasons to raise the level, but from 99,9% to 99,99% will be expensive and if you have to secure against hightech criminal energy the weak point soon will be the "social attack".
- Perhaps long term availabilty or at least a defined life cycle is a concern when using/allowing only internally certified components in your network. You cannot buy Linksys/Netgear/D-Link because you don't know what you get on your next order. They often replace there models against totally different without notice. Instead of fixed firmware/driver releases you'll may get replaced bugs.