Wireless LAN security has been mis-sold in the past, according to David King, chief executive of one of the leaders in that field, AirTight Networks. It's about time to give it a new role, as an extension to wired security systems, he says. And while we're about it, he wants to give it a new business model, in which wireless security is be sold as a service, not a product.

When King came to AirTight in 2004, they both rebranded themselves. Previously known as Wibhu, Airtight had emerged from India with a wireless planning tool; King moved it towards security. King came to Airtight from Proxim, a wireless outfit which under his leadership had become the first publicly traded wireless LAN company. By moving to AirTight, he says, he was solving the problems created by the networks he had done so much to popularise.

(Proxim was later to repeatedly, fail to capitalise on wireless switches, suffered heavily in a patent lawsuit from Symbol, and was finally bought up by Terabeam, but that's another story).

How do you sell WLAN security?

Wireless security vendors got it wrong, says King. They sold their products as enhancements to the wireless LAN, when wireless intrusion systems are much better considered as an addition to the wired security system - and an important one, he says: "The easiest way into a network is through wireless."

Positioning WLAN security as an extension of WLANs had several unfortunate effects. It limited sales to sites which had wireless LANs already installed, rather than the much larger group of sites that have no wireless and may want to prevent it.

These target customers also had limited the wireless security budgets (they would only spend a fraction of the cost of that wireless LAN).

It also meant that wireless LAN security vendors had to compete against their potential partners, they wireless switch vendors - who were all adding security features to distinguish themselves from their rivals. It's mostly been a war of words, says King, as apart from Aruba, most switch vendors' native software gives you "little more than a bit of rogue detection."

No false alarms?

Given that weakness, there was room for rivals to sprout, the most important names being AirTight, AirMagnet, AirDefense and Network Chemistry. All of them have been competing for a market around $100 million, and all of them have made claims for their products that are so similar it's tempting to give up the attempt to distinguish them.

AirTight has a special claim however - King says his company can eliminate the false positives (false alarms) that happen when a wireless security system misinterprets innocent activity (say from a Starbucks next door) as an attack. With most systems, "the number is hideous," he says. "Eventually you stop trusting the system, and turn it off."

"Other products compare traffic with a table, often created by the user," he says. "We compare traffic on the wire with what is in the air."

King also believes AirTight excels at locating rogues and attackers, pinpointing them to within a few feet, and blocking their activity, depending on the number of probes a user has installed. "For raw detection, you need a probe for every three to five APs, for blocking you need one for every two to three APs." To locate rogues and attackers to within 5m, requires nearly one probe for every access point, he says - something that can be installed with multi-radio APs, such as those from Colubris.

As evidence, King points to wireless vendors that have adopted AirTight to offer wireless security on their switches, including Colubris, and Extricom . Interestingly, 3Com has adopted AirTight, on Trapeze switches it resells, even though Trapeze favours rival AirDefense.

Selling it as a service

The proof of the pudding, however, will be whether AirTight can sell its product as a service - something King says the company will announce within the next few months.

"There's a trend to managed services," he says, particularly in security, where new attacks must be added to the database which systems use to spot intrusions. Users also need ongoing training. "It turns it from a capex problem to one of opex," he says.

The idea has been tried, for instance, by NCS Datacom, which launched a service based on AirDefense's AirPatrol in 2003, but King believes such services have generally proved to be unmanageable, owing to the high level of false positives that have to be resolved manually.

802.11n probes needed soon?

In future, King says AirTight will upgrade its products to keep pace with developments such as 802.11n which, he says, will be implemented in networks fairly quickly. "Sensors have to operate at that speed too."

Moving to 802.11n is more crucial for security systems than production WLANs, says King, because all the rogues installed by users on corporate networks will be draft-N, now that technology is triumphing in the shops.