As for the firewall, and monitoring connections - blocking IPs (if a port scan is detected) - set CSF (LFD comes with it) www.configserver.com/cp/csf.html . Worked very well and setup is easy.

> 2) Change the network key, only the boss and I will know the key (Employees enter the keys themselves).
This will not help, picking out the password for Wi-Fi from any OS is quite simple and does not require a lot of knowledge

I don’t understand what the problem is with the Wi-Fi network, I don’t set a password on Wifi at all, why? Why bother with keys and something else there.
There is OpenVpn and we use it. Let them sniff OpenVpn traffic, I don’t feel sorry for it.

There are two solutions here. The first is a complete rejection of wi-fi. The second one is much more complicated, it's a wonderful wi-fi setup with modification of wep itself (stuffing left packets), PEAP authorization and fully encrypted traffic (openVPN). Naturally, it will be impossible to connect from the phone.
ps and remember absolutely any wi-fi breaks with skillful hands with a good card, preferably on prism2 =)

I think that the main problem is the availability of Wi-Fi. Is there an option to opt out?

abandon wpa-eap wpa2-psk and switch to wpa2-eap with authorization through radius in AD or (and) based on certificates,
take the server to the DMZ, protecting it with something like a cisco ASA or PIX thread, again with authorization and rules

I pressed send early… between cisco and the vpn office to access the server from the office and “on the road” clients, if any… well, a portmap to access it from the Internet for ordinary users.
it is clear that the server itself cannot initiate any connections in such a scheme

Org measures:
access to the "clearing" (production) - only the admin (duplicate passwords in the safe at the Head)
Responsible for the deployment of one person (or two) - the admin (and the team leader).
I worked in one paranoid office - there development and the Internet were physically separated - different networks. (there are two computers at the workplace - development and the Internet). Downloaded files from the Internet via samba were uploaded to a shared folder, from there to the development computer. From the developer network - RO access, so the system is a nipple: "blow here - back x * d" The
minus of this approach: an extra computer for the developer, plus - horseradish soproesh the source code, the database ... You can only print (the printer is in the office at the head of the department) or film it.
Tech measures:
if you can not refuse WiFi
then strict IP routing and mac binding
or any DHCP! only static allowed IPs.
configuring production SSH access to a specific IP. Take one more IP from the provider (usually they give three pieces at least for a company). One will be strictly admin, one for the router for the entire office. If an attacker gets into the network, he will not be able to get into production.

You shouldn't change the SSH port, it won't be broken anyway. What if people can break SSH? then it will not be difficult for them to find the SSH port. So I think it will only hurt.