The IC is an appliance designed to interact with Infranet Agents on individual endpoint devices seeking access to a network and the Infranet Enforcer software on its firewalls. The IC is the hardware holding all the policy against which security checks will be made.

The Infranet portfolio was announced back in May, with the IC still to come. The new announcement, meanwhile, comes just days after Juniper’s archrival Cisco extended its Network Admission Control (NAC) offering from the WAN, with routers and firewalls, to the LAN, with switches and wireless devices.

The Controller has some technology from our SSL VPNs, said Andrew Harding, Juniper’s director of product management, but they have access as well. The IC isn’t a termination point, just a decision point.

Of course, by splitting the authentication and authorization functionality already contained in the SSL VPNs marketed by NetScreen, the security vendor the Sunnyvale, California-based router manufacturer acquired last year, Juniper is seeking to address both LAN and WAN, carrying out internal as well as external security, but in its case it elevates the firewall to execute that function, whereas Cisco, not surprisingly, wants to spread it across all its hardware, both for Layers 2 and 3.

NAC has become a generic term for any effort to deliver technology for controlling network access based on the OS and security software status of a given machine, as ever, well as on the level of access it has been assigned a priori, if it belongs to the corporation (if it is external, e.g. a guest machine, it will also be in a directory somewhere with that information, resulting in a certain level of access, Harding went on).

There is, however, the Cisco NAC initiative with some 60 vendors of different parts of an edge security offering such as leading AV vendors. Not surprisingly, Juniper doesn’t take part.

The Cisco NAC requires a Cisco Trust Agent to be installed, and it’s complicated and heavyweight to manage, Harding argued. Strictly speaking, that situation has chances with phase II of Cisco NAC, in that the vendor is now moving to enable so-called agentless devices such as printers, guest laptops and PDAs to be evaluated in terms of their security status by third-party providers like Qualys, Sunopsis and Altiris, all of whom have made Cisco NAC-related announcements in recent weeks.

In terms of switches, however, Cisco clearly needs its users to upgrade their estate, he went on. Cisco NAC represents Cisco rolling over those switches as soon as possible.

Juniper does, however, belong to another rival initiative, namely Microsoft’s Network Access Protocol undertaking, from which something concrete should emerge in 2006, according to Harding.

This is pre-NAP enforcement, and if NAP goes down the 802.1x enforcement path, this is the IPsec component, he said. Juniper also collaborated with the Trust Computing Group on its program to address network access control, but that is at a very early stage, he went on.

As for the degree of tie-in that Infranet represents, Harding said it doesn’t matter whether companies implementing the technology use its SSL VPN or not. The IC doesn’t need any information from other Juniper hardware anywhere else. It gets it from the Infranet Agent.

The IC comes in two flavors: the Infranet Controller 4000, supporting between 100 and 3,000 simultaneous endpoints and costing between $25,000 and $160,000, and the Infranet Controller 6000, scaling from 250 to 25,000 endpoints, with a price tag of between $60,000 and $390,000. The Agents to accompany it are bundled into the price. Harding argued that these prices make it very competitive vis-a-vis what it would cost you to protect the same number of endpoints with Cisco NAC.

This is the first phase of the Infranet offering, Harding revealed. This is Juniper Unified Access Control, he began, prompting the idea of something called UAC. Beyond that, we’ll go to Unified Threat Control by adding in our deep packet inspection capabilities on firewalls, then finally Unified Delivery Control with our recent acquisitions [Peribit and Redline]. The Unified Threat Control can be expected in the first quarter of 2006, but Delivery Control is clearly further out, and Harding declined to speculate on the exact timeframe.