Consider a WEP-network as a room with public access. Think of it as a dark room and people communicating by calling each other's names audible to everyone.
All means to identify persons eligible to enter are rendered futile due to the nature of that room. After cracking the WEP-key any MAC-address can be spoofed. You cannot increase security for any device within that network, because there are no means to cut off communication effectively or in other words to throw someone out of the room, as you can't see that person.
If you consider your WEP-unprotected network public, you can limit further access to a more secure network segment by enabling access via VPN. This can reduce harm to devices and services located behind the VPN-gateway.
The only faint possibility to keep attackers slowed down eavesdropping within your WEP-protected network is to use heuristics to throw them out of your network as soon as they do „unusual“ things in comparison to the devices normally connected to your network. But keep in mind, that this will lead to a false sense of security as it relies on obscurity of some behaviour of your common network devices. And there is no security by obscurity. Also honeypots used to detect attackers might work only once. Every measure you can use to identify attackers can be analysed by the attackers themselves to circumvent it.
Summarised you can:
- protect network devices within that segment, if they can protect themselves i.e. up to date operating systems tuned to a security level that you might use to log into a public WIFI-network
- protect attached network segments by enforcing usage of VPN for access
you cannot:
- protect credentials used in that segment
- protect obsolete devices within that network from being attacked
- protect communication which doesn't use an encryption totally unrelated to the authentication mechanisms of WEP.
