Here's a document you should probably read when coming up with a solution here:
http://www.interlinknetworks.com/whitepapers/Link_Layer_Security.htmBasically, you're going to want to implement a strong 802.1X solution for access to your network. Windows 2008's Network Access Protection RADIUS is one way to do this, and there are several others as well. You should also familiarize yourself with some wireless security issues and solutions. There's a relatively good wiki on it here:
http://en.wikipedia.org/wiki/Wireless_securityIf you're willing to spend some money, there are a lot of really insane solutions for wireless security out there. Motorola's Air Defense (
http://airdefense.net/) is a pretty powerful little system that can detect and disconnect attackers (Look up information on Wireless Intrusion Prevention), but it's expensive (the company I work for is a distributor, the link is on my profile if you're interested).
Beyond that, I can tell you that MAC filtering is worthless on wireless. All it takes is a couple minutes of sniffing and you've got every MAC address around. Spoofing MACs is cake. Disabling SSIDs is also useless. Two seconds of sniffing finds a cloaked SSID. Also, the type of WPA2 encryption you use is important. You'll want to look into building a Public Key Infrastructure and potentially protecting your server traffic with IPSec. (Info on that here:
http://technet.microsoft.com/en-us/network/bb531150.aspx)
In perfect land, the sky is the limit. In land where money is an issue, well, go find the kid and hit him with a mallet.
