We run many WAP's at various sites with unencrypted associations. These are all cisco 1200's. The only connections that can be made from these WAP's are to an internet facing VPN, which is plenty secure. However, if a device is associated with the WAP and connected to the wired network, then obviously the device can be used as a jump off for an attacker. Plus obviously, any device just associated, can be attacked.

Is there any way that 1200's can be configured to hide all wireless devices from each other? Are there any cisco WAP's that can do this?

All our laptops run a desktop firewall, and the only way I could see of protecting them is to disallow inbound connections from any of our wireless DHCP ranges but I was also hoping that the WAP's themselves could provide this level of security.

Thanks,
jon.

This is an interesting question and I am sorry but I have to ask a few questions to understand the situation. You allow un-encrypted association with the Cisco AP's? Are you saying that all wireless traffic is un-encrypted? If so then the entire system is suspect regardless how secure the VPN link is. That information as well as the VPN authentication handshake traffic is up for grabs, if I understand the situation correctly.

How many nodes do you see connecting to the AP? Have you ever looked at VxWorks by Cisco? One way to isolate further the AP clients is to assign each node to a different VLAN. That can be accomplished by using the VxWorks. Check out this link.

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00800e12 06.html#32980