Wireless Hotspot Security

Securing a laptop for staff members and to connect via hotspots is very difficult task involving security at various levels and can be very costly in terms of the solutions.

If the data is of that importance in your network which is obvious you can try these things or implementations.

1. Secure the physical drive by encrypting and locking down the system by not allowing any script to run or any program to be installed.
2. Push tested security updates regularly.
3. Keep the firewall rules hard and should be allowed to be disabled by users.
4. encourage users or educate users ( MOST IMPORTANT ) to use or connect via secured networks only. Also educate them about the threats via emails or messages and so on.
5. Disable local network using remote vpn policy ( have seen this in action almost everywhere ) so that data cannot be passed to any other network.
6. If cost is not a problem and data is of utmost significance then the laptop should be made a thin client with above implementations and should use a citrix or xen presentation server to connect to a remote terminal and work under secure environment.

You just have to configure a firewall on each laptop in order to block all network traffic (output as well as input), except the packet needed to mount and run the VPN connection.

On Windows, the firewall settings can be easily managed by setting GPO in Active Directory.

I think to be more specific, you would only allow the primary wireless interface accept packets from "home" (your VPN server address pool), and deny all other incoming traffic. Then you would configure the firewall to allow all traffic to be allowed over the VPN device. It sounds like you already have the proper filtering covered at the VPN level.