Who are the major players in the burgeoning wireless-security market? The answer to this question depends on how you define the word "major." Some might suggest that it means the companies with the highest revenues. Others might point to companies with the most market share. Perhaps a better approach, though, would be to look at a cross section of wireless-security companies. Such an examination might bring to light appliance vendors like Vernier, AirDefense, Cisco, Bluesocket, and even Nokia. It also would include hardware switch and chip suppliers, such as Broadcom, Proxim, and Via. Even software-intensive solutions like the one from Certicom would now be open to discussion.

This report takes that cross-sectional approach. While it doesn't cover all of the vendors in the security market, this article does present a representative sampling of companies and their wireless-security offerings. Because this is an overview, the companies aren't listed in any particular order. To begin, let's look at some of the wireless-network-appliance companies that make standalone gateway systems and related devices.

VERNIER NETWORKS
Founded in early 2001, Vernier Networks (www.verniernetworks.com) has developed the Adaptive Security Platform (ASP) approach to security. The aim of the ASP is to help companies balance the need for open network access while reducing the risk of intrusions. Its wireless-local-area-network (WLAN) security gateways are incorporated as OEMs in some of Hewlett Packard's networking systems.

The ASP solution consists of the Vernier 6500 series network appliances and the Vernier VNX software. The network appliances—single-purpose devices from which all nonessential functions have been stripped away—include the System 6500 and the IS 6500 Integrated System. For large enterprises, the System 6500 provides a tiered solution featuring a Control Server and one or more Access Managers. The Control Server allows network administrators to create and manage security policies from a central location. They also can monitor network usage and manage all Access Managers.

The Access Manager is a rack-mountable device. It performs access control, packet filtering, policy enforcement, and intrusion management for both subnets and wireless coverage zones downstream. Each Access Manager is deployed in-line in the data path. Its purpose is to function as a security gateway between end users and the network core.

The IS 6500 Integrated System provides a single-box solution for smaller deployments. All 6500-series appliances are supported by the company's VNX software, which includes the Vernier Rights Manager, the Vernier Domain Administrator, and policy-enforcement engines. No special software is required to run on the client devices.

For more information on the Vernier ASP system, please see the June 2003 issue of Wireless Systems Design (www.wsdmag.com/Articles/Index.cfm?ArticleID=6469).

AIRDEFENSE, INC.
As the name implies, AirDefense, Inc. (www.airdefense.net) provides security systems that monitor and protect WLAN airwaves. The company claims to have pioneered the concept of 24-to-7 monitoring using a distributed architecture of remote sensor probes and a server appliance. Its flagship product, AirDefense 4.0, has probes that communicate in real time with the server appliance. In turn, the server appliance analyzes the data to provide centralized, predictive views of rogue detection, policy enforcement, intrusion protection, and health monitoring of the wireless LAN (FIG. 1).

The first tier of the company's layered approach to security consists of remote RF sensors. This type of monitoring provides a continuous view of the network functioning. It can determine whether or not the security policies are being followed. These probes are essential to understanding what devices are in the air space, what devices are connecting with which users, and how the devices are interacting. By monitoring the air space, network administrators can identify trends for unusual traffic patterns, potential network abuse (such as large file transfers), and load balancing.

Recently, AirDefense announced one of the first tools to monitor Bluetooth security. This product, which is aptly called BlueWatch, identifies all Bluetooth-enabled devices and their communications within a given air space. It allows information-technology (IT) administrators to pinpoint devices that are either misconfigured or lacking authentication or encryption. BlueWatch identifies different types of Bluetooth-enabled devices including laptops, PDAs, keyboards, and cell phones. It provides key attributes, such as device class, manufacturer, and signal strength. More importantly, it can identify the services that are available on each device. Examples include network access, fax, and the audio gateway.

CISCO
It's no secret that Cisco (www.cisco.com) is one of the largest suppliers of access points (APs) and bridges for wireless networks. The company's Aironet family of APs comes complete with a wireless-security suite based on the IEEE 802.1X standard. The key features of this security suite are mutual authentication and dynamic-encryption key management. Among its other features are data encryption using both Wired Equivalent Privacy (WEP) and the Temporal Key Integrity Protocol (TKIP). The Advanced Encryption Standard (AES) is being added this year. AES encryption is a critical feature of the IEEE 802.11i security specification. The security suite also boasts full support for the Wi-Fi Alliance security standard, Wi-Fi Protected Access (WPA).

The Aironet family of access points and bridges—including the 1100, 1200, 1300, and 1400 series—offers support for all 802.11a/b/g throughputs and protocols. Other Cisco security products include virtual-private-network (VPN) hardware and features for the Internetwork Operating System (IOS) and Security Device Manager software. These programs all support firewalls and identify the source of denial-of-service (DoS) attacks.

BLUESOCKET
A wireless network's greatest risk is that a user doesn't have to be physically connected to the LAN in order to gain network access. To address this problem, Bluesocket, Inc. (www.bluesocket.com) introduced its first wireless gateway in 2001. Today, the company has a family of wireless gateways including the WG-1100, WG-2100, and WG-5000.

All of its gateways offer VPN-like encryption (PPTP and IPsec) and network-management features, such as role-based access control, bandwidth throttling, and authorization/authentication. Secure Mobility lets users roam securely across subnets without re-authenticating. The gateways support all flavors of 802.11 while extending and integrating legacy networking equipment (e.g., Cisco) with wireless infrastructure.

Recently, Bluesocket expanded into the wireless-monitoring market with the BlueSecure intrusion-detection system. This air-security product includes a server and dedicated sensors. They can monitor traffic on 802.11a, b, and g networks. The product allows WLAN administrators to view all user activities including neighboring WLANs, rogue or unauthorized radio APs, and outside threats posed by "wardriving."

The sensor system, which is called BlueSecure RF Sensor, comprises a general-purpose, built-in RF listening device. This device supports 802.11b/a/g as an overlay to enterprises with or without an existing WLAN. Because it works with any vendor's APs or Wi-Fi client devices, it doesn't require any changes to existing wireless or wired infrastructure.

NOKIA
Using both WLAN and cellular networks, more and more users are accessing the Internet and corporate networks from wireless devices. While both cellular networks and WLANs allow mobility for remote users, they lack a coherent way to restrict unauthorized user access. To combat this problem, Nokia (www.nokia.com) has offered the Secure Access System security mechanism. Because it resides at the network application layer, this system takes advantage of all of the security measures in the lower network layers. Any device with a web browser—from cellular handsets to wireless PDAs and laptops—can therefore utilize all web-enabled enterprise applications.

The Nokia Secure Access System (NSAS) is a hardware appliance. It improves wireless security by establishing an encrypted tunnel between the remote mobile/wireless device and the corporate network. Even if the wireless network is somehow compromised, the company claims that the confidentiality of the data between the remote user and the corporate network will be maintained. By ensuring a high level of security in the remote device itself, this system also improves wireless security. Remote users also are assured that a lost or stolen device won't translate into lost information.

The NSAS is a SSL VPN appliance that connects to an Internet firewall. It is designed to provide secure access to corporate intranets and extranets. It is built on Nokia's IP Security Platform and IPSO secure operating system.

BROADCOM
Several big semiconductor-chip vendors play a significant role in wireless-network security. One such company is Broadcom (www.broadcom.com). Currently, it holds the chair position on the Wi-Fi Alliance's Security Council. That committee has driven the adoption of Wi-Fi Protected Access (WPA)—the first standards-based, interoperable security technology for Wi-Fi networks.

Broadcom has been incorporating AES technology into its hardware since the fall of 2002. In that same timeframe, the company introduced its original 802.11 product line. AES is required in order to run the now ratified 802.11i standard. Without having AES in hardware, a computationally intensive program could cause Wi-Fi products to slow down to unacceptable levels. The 802.11i standard will be certified interoperable by the Wi-Fi Alliance through its Wi-Fi Protected Access-2 (WPA-2) program. That program is scheduled to launch in September.

Of course, Broadcom also offers a multitude of chip products for the wireless market. For one example, take a look at the October 2003 issue of Wireless Systems Design (www.wsdmag.com/Articles/Index.cfm?ArticleID=6805). In addition to those hardware offerings, the company recently introduced a software security package called SecureEZSetupT (SES).

This program is designed for the non-technical user. It allows a Wi-Fi network to be securely set up by running a very simple, two-step set-up wizard on a PC. The user answers easy, non-technical questions, such as his or her birth date and pet's name. SES then configures the wireless router and PC by setting up the Service Set Identifier (SSID) and WPA—a standards-based security feature that's built into all Wi-Fi-certified products. Given the increasing number of users that telecommute or regularly work from home or abroad, SES is very valuable to IT managers and the enterprise environment as a whole. It helps to ensure that all home or satellite office networks are properly configured and security-enabled.