Juniper Networks this week plans to unveil a policy management appliance, a key piece of a secure network access scheme designed to rival those of Cisco and Microsoft.

The major difference between Juniper's Infranet strategy and Cisco's Network Admission Control (NAC) system is that Cisco uses switches and routers to deny access to unqualified machines while Juniper relies on its firewalls (though says it will use other vendors' switches over time).

Also: Juniper gains corporate ground

Microsoft's Network Access Protection (NAP) scheme also relies on other vendors' gear to enforce policies and, like Cisco's plan, is supported by an extensive partner program. Other vendors, such as Aventail, Elemental and Sygate, offer products that can be used to control network access without relying on network hardware for enforcement.

Juniper's Infranet architecture calls for placing its appliances, dubbed Infranet Controllers, in a network where computers logging on can reach them and users can authenticate. The devices send an Infranet Agent - a Java applet or Active X agent - down to the computer to scan it for compliance with network security policies. This includes looking for updated virus signatures, software patches and the like.

Juniper touts its architecture as less intrusive than Cisco's because it overlays security on LANs without requiring costly switch upgrades. NAC requires that Cisco switches be brought up to an acceptable IOS software version. To use switches as enforcement points, Juniper's Infranet requires the cooperation of other vendors, which may prove challenging in the case of Cisco. Juniper has a partner program of its own for this purpose and is working with the Trusted Computing Group to develop specifications that switch vendors can adopt to enable them to become enforcement points.

Because Cisco owns more than 70% of the switch market, Juniper's Infranet will have to work its way into Cisco shops. Juniper sells no switches of its own, so many potential Infranet customers will have to weigh overlaying Juniper's firewalls and Infranet Controllers vs. upgrading their switches to determine what makes the best security and financial sense, says Eric Maiwald, senior analyst with Burton Group. Some all-Cisco shops "say yes to NAC but say it may take a while because of all the upgrades they have to go through," he says, and such customers may view Infranet as an interim alternative.