I'm a developer and not a sysadmin, so I'm going to ask this question the best I can.
I am working on a web application for mobile devices. Since it is in development, it is only available on our internal network. The WiFi access points at my company are for "guest use" and get a connection that is outside the corporate firewall. Employees that use the WiFi need to use VPN in to access the corporate network.
I have mobile devices with WiFi that I want to connect to my internal network for testing my web application. Not all of them have VPN capability.
Here is my question: How can I set up a WiFi access point and only allow it to route traffic to a white list of the IP addresses of my web servers? Can this be an off the shelf wireless router or does it need to be a server with wifi card?
I don't want to set up a rogue endpoint and compromise corporate security, so I plan on going through my IT department, but I want to go to them informed of the possibilities.
If this is for a company project, they should be able to set up a temporary WAP that will only allow access to your device MAC addresses and not broadcast an SSID. If your devices support encryption that can be set up as well, and use the lowest power setting to restrict range.
It depends really on your corporate environment. If they are really nervous about security then you would need to probably set up a firewall server that will only allow certain routing rules to mediate the wireless connection to internal network.
In the end you're asking for a wireless connection that goes to "sensitive" internal assets, regardless of a whitelist. If someone were determined to break your wireless connection they could spoof your device's MAC address, steal an IP (if you are talking whitelisting connectors to the WAP and not destinations), sniff connections (if you're not running WAP), etc.
So like I said...depends on the corporate environment. The options I see are to give you access through a firewall to mediate and log activity, or put in a wap of some kind with provisions for whitelisting what it can connect to in routing, what can connect to it via hiding SSID and MAC filtering, and using strong encryption, or setting you up with a testbed network that is "closed" so you would run your test app in a VM (or VM's) to connect to your wireless machines and not have any access to the actual network.
Last you could talk to them about setting up a machine that runs on the public network wirelessly but connects via VPN, and routes your wireless device from that machine through the VPN to the internal network (basically taking a machine that works on the VPN and having it "Share" the connection as a router). Still insecure though as others could connect to that computer too, so you'd have to do something to monitor who's connected.
It sounds like your company has taken the appropriate measures to secure wireless access, namely a vpn endpoint and no direct internal routing. However its relatively easy to setup a wireless access point with only specific routes and specific firewall rules and based on their current setup I would suspect that they would be able to do this although there would be security concerns that are not easily removed.
Pretty much any commercial/enterprise wireless access point will work ( in contrast to a WAP or WAP Router for home), with a firewall sitting right behind it. In the simplest case you could cross connect a WAP to a linux host's network adapter and do all of your ip forwarding / host filtering on that machine. This is cheap and very easy to implement, probably less than half an hour to get working. I wouldn't recommend going all the way and putting a linux machine in AP mode, there can be a lot of complexity in getting that to work correctly, its must easier to use an external third party AP unless you have very specific experiments you are doing and wish to have fine grained control over beacon intervals or other such wireless protocol level details.