Wi-Fi switch vendor Meru has added an application-aware firewall to its wireless switch, that allows QoS to be applied without breaking Wi-Fi security on converged networks.

Meru's switches are particularly aimed at voice over IP (VoIP) users, and the firewall - part of AirShield Security Suite 2.0 - is designed to apply policies to the encrypted traffic, supporting mobile VoIP without breaking security. "The appropriate QoS can be applied to the application flow," explains Kamal Anand, Meru's senior vice president of marketing. "Rate-limiting and policing can be done on the flow, and these policies can be applied per application, per user, and by location - providing flexibility to increase mobility without compromising security."

Meru provides regular-looking access points, and central controllers, but also "radio switches" that use omni-directional antennas to serve four WLAN channels at once, creating a sort of Wi-Fi "blanket" that the company says is good for converged networks, supporting VoIP with a minimum of handovers between cells.

However, voice has traditionally created security issues within Wi-Fi LANs. Handling real-time VoIP traffic can disable functions such as scanning for attacks and rogue access points, and it is difficult to apply QoS polices when wireless traffic is encrypted - as it generally should be.

Meru's equipment can continue security scans while handling a voice call, and the new firewall can examine packet signatures in an encrypted flow. "This allows the Meru equipment to apply the same policies on flows from two types of applications, within end-to-end encrypted flows," says Anand, so a VoIP call within a VPN tunnel can be given better quality than the other traffic in that tunnel: "This enables the enterprises and education institutions to deal with those classes of applications over wireless."

These features have been added to AirShield 1.0, which already handled WPA2, Captive Portal and guest access, as well as dynamic VLANs, rogue AP detection and mitigation. The suite is an extra on top of the Meru network, costing $3,495 in the US for a 30-AP network.

The company has also a mini-blitz promoting its role in network access control, promising its product will work with NAC products from Microsoft, Juniper, Vernier and Lockdown. The backslapping press release boils down to the fact that the companies' products have been tested together, so existing security investments should work on a Meru WLAN. "Meru has qualified and completed the necessary integration work to make certain that the joint solutions work out-of-the-box for our joint customers," said Anand. "In addition we will also promote the joint solutions."

"Most of our customers have already invested significantly in network infrastructure and are not keen on the 'one-size-fits all' approach demanded by certain WLAN vendors," explained Jim Ciociolo, vice president business development, Meru Networks. "Our programme gives our customers assurance that their Meru Wireless LAN System will operate flawlessly with all leading NAC options on the market. Instead of locking our customers into using a single vendor or approach, we offer them the opportunity to work with their choice of leading security companies and solutions."