Addressing the WLAN security issue, Cavium Networks Inc. today will unveil what it claims is the first family of network security processors to incorporate the almost-complete security extensions being defined by the IEEE 802.11i working group. The 802.11i effort seeks to fortify the easily broken wired equivalent privacy protocol and was the original source of the authentication and security functions now offered under Wi-FI Protected Access (WPA). By strengthening security in Layer 2, WPA v.2 will help reduce IPsec's vulnerability in Layer 3, said Rajiv Khemani, vice president of marketing at Cavium (Santa Clara, Calif.).

Dennis Eaton, chairman of the Wi-Fi Alliance, said the 802.11i working group has pored over the comments about Revision 4 of the .11i draft standard and expects the standard to be fully ratified in six to eight months. To speed that process, Eaton said, the group is considering dropping the fast-roaming, fast-authentication extensions and will instead propose the formation of a separate working group to see that effort through. The title of the new group has yet to be determined.

While not yet a formal standard, 802.11i is, "from a technical point of view, pretty much done," said Khemani. Eaton said any modifications could be made via software or firmware upgrades.

Cavium said its new Nitrox Wireless network security processors will help drive WLANs into the enterprise. The devices, which offload security packet processing from a main CPU or network processor, offer a range of performance from 50 Mbits/second to 4 Gbits/s, with support for several standard-bus options.

Khemani said that increasing traffic through WLAN aggregation boxes, along with the use of compute-intensive security protocols, rules out the application of software to execute security tasks. Moreover, he said, AES encryption requires a security co-processor on both the WLAN switch and enterprise access sides.

Khemani said the Nitrox Wireless family is the first silicon available with full 802.11i compliance. The processors are microcode-programmable to allow protocol updates as security standards evolve.

The appeal of being untethered is expected to drive sales of WLAN equipment for homes and small offices from $970 million in 2002 to almost $2 billion in 2005, according to Synergy Research Group. By contrast, enterprise WLAN equipment sales have tailed off the past few years and are expected to decline to $760.5 million this year from $798 million in 2002. Once security kinks get ironed out, enterprise sales will rise to $812 million in 2005, the Phoenix-based market research firm projects.

Though the economy's chill on IT spending played a role in WLANs' slow adoption in corporate networks, security concerns probably reinforced the inclination to hold off buying new technology, said Synergy Research analyst Aaron Vance. But "because of things like 802.11i and the way standards are evolving, the security issue is being mitigated," Vance said. "Enterprises will start to realize that, especially in terms of large-scale deployments, management is something they need to worry about more than security."

The Nitrox Wireless family includes the CN1120, CN1220 and CN1230, with interfaces to PCI 64/66 or PCI-X 64/100 buses and with CBC-MAC protocol (CCMP) and IPsec packet-processing performance of 1, 1.2 and 2 Gbits/s, respectively. The CN1320, 1330 and 1340, meanwhile, offer 2- to 4-Gbit/s performance with a HyperTransport or 200-MHz DDR bus interface. Pricing ranges from $141 to $500 each in quantities of 1,000.

Additionally, four "Lite" devices support CCMP and IPsec packet processing from 50 Mbits/s to 1 Gbit/s. The CN501w, with a PCI 32/66 or PCI-X 32/100 interface, costs $14.95 each in quantities of 10,000. The CN1001w, 1005w and 1010w have a PCI64/66 or PCI-X 64/100 interface. In 1,000-unit quantities, the Lite series is priced from $16 to $95.

Cavium offers the Nitrox Wireless parts as standalone chips or on reference boards with PCI, PCI-X and HyperTransport interfaces. Software support comes in the form of microcode updates, Linux software drivers and development tools, and APIs for CCMP and IPsec supported by open-source and third-party vendors.

Separately, Cavium has partnered with RSA Security Inc. to allow seamless offload of cryptographic operations from the RSA BSafe SSL-C encryption software development kit to Cavium's Nitrox devices. The integration, which had been announced last week, does not include the new Nitrox Wireless parts, the companies said.

"By having all the protocols and support in one place, developers can shave three to six months off the development process," said Kathy Kriese, senior product manager at RSA (Bedford, Mass.).

To allow customers to exploit the time savings, Cavium has tuned the tool kit, integrating hooks for offloading encryption tasks to its processors.

"An 800-MHz Pentium III can do 1,500 plain Web server pages, but if you add security software, that goes down to 130 ," said Amer Haider, marketing manager at Cavium. "By plugging in a Nitrox card, you can triple the performance back up to get the power of a 2.4-GHz Pentium 4."-Patrick Mannion contributed to this story.