What is the best way to deal with spam or virus infected hosts in wireless network with personal laptops (like personal students laptops in university)? What polices and tools use your company?
SnapOverflow
Our University uses Cisco Wireless Control System (Cisco WCS), which has the ability to block clients, among other things.
Windows Server 2008's Network Access Protection feature of the Network Policy Server role. It can even integrate with Cisco switches via 802.1x authentication.
You can require certain patches, anti-virus, or firewall settings... properties grouped together under the banner "system health". Network switches that support NAP and pass-through RADIUS authentication can auto-vlan clients into a protected quarantine.
Windows also has built-in IPSec to protect servers from roaming, non-domain clients as well. You can issue a certificate to "healthy" clients and require that certificate in IPSec SA negotiation. This essentially ipfilters your servers to domain-approved clients. You can also do it without certificates and just require valid kerberos (domain) authentication. You can apply these 'authentication' IPSec policies to traffic that originates on your workstation subnets that is destined for your server subnets.
NAP requires XP SP3, Vista, and Server 2008 environment. Doing it slickly also may require higher-end switches and a PKI.
IPSec can be implemented using XP, Vista, and Server 2003. But without health evaluation its more of a 'known machine' vs. 'unknown machine' filter.
Many Wireless Routers and APs support wireless separation, which stops any communication between wireless clients and obviously prevents nasties from spreading, in case your users are not running firewalls.
In fact if you are setting up a small "Hot Spot" with just a Wireless router and a broadband connection and no other hosts then this is pretty much good enough security. If you want to protect your own hosts that's another matter, I'd NAT against the wireless network and only allow HTTP. In a sense clients that come at you from a wireless network where people are using their own unmanaged hardware, even if access is controlled, should pretty much be treated as traffic from the Internet and should be firewalled against with only tried and tested protocols like HTTP being used. I wouldn't use SMB in the scenario for instance.
Block their ethernet port as soon as you see problematic activity, take the machine and clean the virus or wipe if necessary, have a "come to Jesus" with them about clicking on email attachments.