Enterasys is introducing new NAC appliances that can be installed in-band to block traffic that violates policies or out-of-band for less invasive and easier to deploy architectures.

The new gear can draw intrusion prevention data from the company’s own Dragon IPS or from two IPS competitors, Tipping Point and Sourcefire. This means the combination of NAC with IPS can perform continuous threat monitoring after a device has been admitted to the network.

The IPS detects suspicious behavior and according to policy, triggers an enforcement action by the NAC gear, quarantining the offending traffic based on the device MAC address at its access switch port.

The gear can distinguish between different types of traffic from a single device and block only that traffic that is deemed malicious. This enables a user whose machine may have problems to continue working without jeopardizing the network at large.

The new inline device is called Enterasys NAC Controller and the out-of-band device is called Enterasys NAC Gateway. Both come with either 10/100/1000 copper ports or all fiber ports. Each model comes with a 10Gbps uplink port. Both devices use the same hardware platform based on ASICs Enterasys uses in its switching line of products.

When the device is installed out-of-band it acts as a RADIUS proxy for 802.1x authentication, enabling it to issue policy decisions about access.

The new devices are available now and pricing starts at $9,000 with the capacity to support 2,000 users. The devices also come in 3,000-user versions. For larger deployments, customers would deploy multiple boxes.

Tim Greene is senior editor at Network World.