Juniper has a new policy management appliance, Infranet Controller, as part of its network security package intended to rival Cisco and Microsoft.

The system relies on Juniper firewalls, as opposed to Cisco's Network Admission Control (NAC) approach that, unsurprisingly, uses Cisco switches and routers to deny access to unqualified machines.

Microsoft's Network Access Protection (NAP) meanwhile relies on other vendors' gear to enforce policies, supported by an extensive partner program. Other vendors, such as Aventail, Elemental and Sygate, offer products that can be used to control network access without relying on network hardware for enforcement.

Juniper's architecture requires appliances, called Infranet Controllers, in a network where computers logging on can reach them and users can authenticate. The devices send an Infranet Agent - a Java applet or Active X agent - down to the computer to scan it for compliance with network security policies. This includes looking for updated virus signatures, software patches and the like.

Juniper claims its approach is less intrusive than Cisco's because it overlays security on LANs without requiring costly switch upgrades. Juniper has produced a partner program and is working with the Trusted Computing Group to develop specifications that switch vendors can adopt to enable them to become enforcement points.

Because Cisco owns more than 70 percent of the switch market, Juniper's Infranet will have to work its way into Cisco shops. Juniper sells no switches of its own, so many potential Infranet customers will have to weigh overlaying Juniper's firewalls and Infranet Controllers against upgrading their switches to determine what makes the best security and financial sense, says Eric Maiwald, senior analyst with Burton Group.

Some all-Cisco shops "say yes to NAC but say it may take a while because of all the upgrades they have to go through," he said. Such customers may view Infranet as an interim alternative.

Juniper's Infranet Controller comes in two models, the IC 4000 and IC 6000. The 4000 supports 100 to 3,000 simultaneous computers and costs $25,000 to $160,000, while the 6000 supports 250 to 25,000 endpoints and costs $60,000 to $390,000.