If your existing broadband router has a DMZ port, that would be a perfect location to connect a wireless router. If not, then consider alternatives that would prevent wireless users from reaching your network. For example, if you have a separate broadband modem, can you connect both your wireless router and broadband router into the modem? Or connect the wireless router to the modem, then connect the broadband router to a switch port on the wireless router. Think in terms of making sure that whatever is protecting you from Internet-based attacks right now (your broadband router) will continue to protect you from wireless-based attacks. That will help you to sustain your existing level of security when you add the wireless router.
Of course, it's also important to secure the wireless network itself so that unauthorized users won't eat up your bandwidth. Most entry-level wireless routers support access control lists based on MAC address. Some support the stronger 802.1X port access control. Small offices are more likely to use MAC ACLs, while larger companies that have a RADIUS servers should use 802.1X. If you're somewhere in between, then consider a managed 802.1X service like the one offered by WSC. It's also a good idea to enable wireless link encryption. Most new wireless routers now support Wi-Fi Protected Access, used with either 802.1X or Preshared Secret Keys (PSKs). Again, small offices are more likely to use PSKs - if that's you, then be sure to pick a random value that's at least 20 characters long. Finally, encourage wireless users to run desktop firewall software to prevent being probed by wireless intruders. If your wireless router supports it, consider blocking the flow of traffic between wireless users.
This was first published in February 2004