Concerns about Wi-Fi security have led to a paradox.

On the one hand, vendors have responded with an ever-increasing armoury of security technology to make sure that even the cheapest of SOHO access points is proof against snooping and hacking.

On the other hand, there is continuing evidence that - even though surveys show they are concerned about Wi-Fi security - users can't be bothered to apply this stuff. While IT managers are aware of the dangers, many access points are installed without proper controls.

There are two factors in this problem. Firstly, security - designed to make it difficult for unauthorised users to access networks - is actually difficult to apply in the first place. Vendors are finally realising that putting security features in is not enough: unless they can make security easy to implement, it's all going to be wasted effort.

Secondly, wireless security is inherently tricky, because you have to reliably secure a connection across an insecure medium, the wireless link. This is not a new problem in computing: making secure links for transactions across the (unsecure) Internet has been the basis of all Internet commerce, for several years now. And securing messages that may be intercepted is the whole reason for cryptography, going back to Julius Caesar.

Up to now, people have tended to assume the LAN is immune to snooping. WLANs potentially open it up, so efforts to make those WLANs secure have been seen as crucial in persuading users - commercial and domestic - to adopt WLANs.

SOHO kit gets secured
At the Consumer Electronics Show last month, Broadcom made a splash with SecureEasySetup, a technology that uses a simple push-button to configure security on an access point when the user installs it. Broadcom's big rival in Wi-Fi chips, Atheros was not to be left out, and came out with its own scheme, Jumpstart.

Both schemes are available with chipsets, and so will become part of a wide range of systems. They are particularly intended for SOHO users and small offices, as large WLAN installations probably use a product such as Airespace, Aruba or Trapeze, in which the "dumb" access points are set up before installation. However, the technology could also be of use in companies that don't have a centralised WLAN system, but want Wi-Fi in branch offices where an IT manager is not available.

Both technologies set up secure connections between the access point and client devices, by
Broadcom's SecureEasySetup was first launched, at the chip level, last May, under the name SecureEZSetup. At CES, it was endorsed by HP and Linksys; Atheros' JumpStart is being implemented in products from D-Link, who helped develop it. At this point, the adopters are not that crucial, as the technology will clearly be bundled with the chipsets and available to anyone that wants it.

The two technologies work in quite a similar way, and have been compared by Glenn Fleishman at Wi-Fi networking News.

Broadcom's technology tries to make something that will be suitable even for consumer devices with a limited user interface. You have to have both the AP and the client device next to each other, and push a button on both devices at the same time.

It might theoretically be possible for a device in the next room to jump on at this time, so Atheros' JumpStart requires a pass-code to be keyed in at the client device. This is fine for devices with keypads, but could be tricky for devices where there is no obvious way to enter data. Atheros also criticises Broadcom for wanting a button on the front of an access point: "adding wire and a button could actually be a significant issue for commodity equipment," says Fleishman.

The fundamental problem
Making any connection secure requires some trusted information, whether it is a password, or a trustworthy version of a partner's public key. To get this requires either a measure of trust in the link, or an "out of band" communication, such as typing in a WEP key.

Both Broadcom and Atheros make "out of band" communications as easy as they can, either by pushing a button when told to do so, or by entering a short code. As these features are integrated into access points, it is likely that this kind of simplification can be hanessed by IT managers who want to have access points installed by untrained users.