Create a security policy defining precisely what protocols and destinations will be allowed for wireless clients. Define authentication and encryption mechanisms appropriate to the sensitivity of permitted traffic.
Employ physical and logical separation of networks. Don't just plug an AP into the LAN. Consider using host-based routers, such as FreeBSD. Host-based routers are highly configurable and can perform IDS tasks. Use a router between the LAN and the wireless network. Configure a firewall on the router to allow only traffic defined in the security policy. Address APs and clients to discreet logical networks and block routing between them.
It really depends on your level of paranoia and what you're trying to protect.
The basics are:
Change the router password, SSID, SMTP community names, and WPA keys.
IP and MAC filtering are useful only if you have a known number of connecting wireless laptops and PDA's. Unless you enjoy diving into the wireless access point configuration every time a visitor with a laptop arrives, you should not use IP and MAC address filtering.
Provide authentication of some sort. That basically means you need a RADIUS server somewhere in the system to authenticate wireless users. If your corporate LAN has some always on servers, RADIUS servers are commonly available. You can also do it with MS Active Directory or LDAP servers.
So much for the basics. You don't mention how the wireless is being used by the corporation. So, I get to guess what you're doing. Two common uses are:
Wireless access for employees that access the LAN servers and the internet.
Wireless access for visitors that access only the internet and have no access to the corporate LAN.
There are many many many ways to implement both of these. If you're planning on doing both, then you may as well install two sets of wireless access points. It can be done with one access point but you better have a very intelligent router (i.e. Cisco) as you will find the commodity hardware very limiting.
Another common method that works well is to not use any security on the wireless access point at all. No encryption or authentication at all. Instead, users connect via a VPN client and server. The VPN provides the necessary encryption, authentication, and authorization. It also cannot be sniffed. Random hackers will see the access point, but without access to the VPN server, they go nowhere.
What's nice about this method is that you can setup a corporate version of the common "wireless hotspot" for visitors which does not require a VPN client, and still have corporate users go through the VPN. The problem is that to maintain some level of sniff proofing, the visitors will need to enter a WPA pass phrase. Administering this WPA pass phrase between permanent corporate users and transient visitors has proven to be a problem.
This is actually just the start of the level of technology available for larger systems. There are wireless switches, roaming enhancemnets, USB dongle keys, X.509 certificates, authentication serves, and mesh networks. You'll need to disclose some details as to what the corporation is doing with wireless to offer any more hints.
How do ppl implement wireless on their work networks. I have a client that has setup WEP128 encryption, MAC address filtering and thats it. It would be better to move to WPA encryption of course if end users PDAs support it etc.
Now would the packet filtering on the access point be good enough, or would it be wiser to implement a firewall between the local LAN and access point.
Or is it better to have no encryption and setup a VPN server between the local LAN and access point.