Managed SOHO security still lacks polish

Two all-in-ones have appeal but neither solves everything

The idea of bundling a managed security service with a firewall/router/gateway offering for small and midsize businesses isn't new, and the idea of an all-in-one box is appealing for sysadmins hoping to standardize installations for remote workers. Two current products have extended the idea with the addition of built-in DSL modems to the package. Both SofaWare Technologies Ltd.'s SafeOffice 500 and TrustEli Inc.'s Eli Security Appliance espouse the kitchen-sink approach to security for smaller businesses.

The idea is to set and forget such devices, easing troubleshooting and patch management while giving workers secure remote access. Adding DSL to the mix means that a single box can support all the user's connection needs. It's a great theory, but one for which reality has yet to come. When these two products are compared to leading unmanaged products for smaller businesses from networking vendors like Netgear Inc. and D-Link Corp., they both come up short in terms of usability, ease of setup and features. However, both offer plenty of additional security measures, such as very granular firewall rule sets, integrated virus scanning, intrusion detection and control over port forwarding.

The appliance from SofaWare, a division of Check Point Software Technologies Ltd., comes in four versions: with and without a DSL modem, and with and without wireless support. (We tested the DSL wired configuration.) The Eli Security Appliance comes with both a DSL modem and a built-in wireless access point.

Setup

Configuring the Eli took four calls to tech support and about three hours. Most of the time spent came down to our service provider, AT&T; the Eli included no explicit preset configuration for our AT&T DSL line, and it wasn't easy to get the parameters needed out of the company, which twice sent incorrect information. Eventually, the Eli folks figured out what was needed. It's hard to fault Eli for AT&T's inability to provide good information, but the fact remains that AT&T's not the most obscure DSL provider around, and an explicit (and accurate) preset configuration would certainly smooth the process.

Additionally, the diagnostics on the Eli box itself (which is embossed with a portrait of "Eli," their mascot) could have been more helpful during the setup process. For instance, it would be nice if the "DSL" light on the front of the box would go green when you properly authenticate your DSL log-in, rather than just when it detects the digital signal coming over the phone line.

In contrast, we were up and running on the SafeOffice box within minutes, although we had to suffer through a series of four or five update-and-reboot cycles until the box had been brought up to the appropriate firmware level, and we needed to talk to SofaWare's support staff as well for connecting our Vonage VoIP line.

Phone-home capability is one of the big benefits of these two products. Both appliances automatically check with their managed services periodically, making sure that their signature files and firmware are up to snuff so you don't have to -- a great idea.

Managing the boxes

We liked the management interface of SafeOffice better, even though it was more complex; Eli's interface simplicity appeals only until it's clear how much the device can't do. That interface also suffers from a split personality: some of its configuration is done locally on the box, while other setup is performed by connecting to the central managed service. While both Eli management interfaces are browser-based, they're designed differently, requiring the admin to learn two interfaces. The division of labor between the two systems is somewhat arbitrary as well -- for example, the troubleshooting menu is called from the local box, but the central managed service sets up the LAN IP address range.

In contrast, the SofaWare menu and configuration layout takes little time to master and is logically laid out. The downside is that there are a lot of knobs to turn, and not a lot of documentation to show you how to turn them. We had trouble getting the appliance to work with our Vonage telephone service and had to monkey with port forwarding to get calls through the appliance. Fortunately, Vonage America Inc. has some documentation for the process on its site.

Feature sets

The SafeOffice box's feature set has a lot of depth, as you might expect from Check Point. (It also costs more than the Eli box.) The firewall, virus protection and spam filtering are highly extensible, and the box supports VPN. There's also an impressive intrusion-detection system that uses the same Smart Defense technology found in the more expensive Check Point products. For example, you can set up the appliance to prevent Skype connections across your network. SafeOffice uses very verbose logging of network attacks, a useful (albeit depressing) item for sysadmins attempting to troubleshoot a remote connection.

The Eli product supports a much narrower feature set, which is good if your users don't expect much from it, but bad if you want to tweak it for special circumstances. For example, you are limited in that you can only specify the third octet in the 192.168.x.x IP address range when specifying the local LAN IP address to be supplied by the appliance's DHCP server. You have limited control over what inbound services you can block -- only HTTP, FTP or mail traffic.

Eli includes content filtering and virus and malware scanning. VPN support is available through a separate managed product that's available at additional cost. It offers rudimentary wireless security with WPA. There's no support for WPA2 encryption, although Eli does support a 256-bit shared key -- good, but not state of the art. Port-forwarding capability is also limited.

Neither product is totally without flaws, but if you have a large-scale remote access deployment, it could be worth it to pay the extra cost for either one instead of just using unmanaged DSL routers such as the Netgear DG834G or the D-Link DSL-G604T. Both the Eli and the SofaWare offer more solid security features as well.

Pricing

One of the most vexing things about both products is their a la carte pricing for various services and user configurations. Your initial purchase price is just one part of the package, since you will have to pay additional monthly charges to keep either appliance up to date. Those service fees start at $5 per month, depending on the number of users supported, for both products.

Figuring out what pieces to buy and adding up the true cost over the appliances' life spans will take some quality time with a spreadsheet, especially for the various SofaWare options. Neither unit is quite set-and-forget yet -- more like set-and-reset-and-fiddle-with-some-more. But once configured and tuned, they should work just fine on their own -- and may provide some peace of mind to a small or midsize business's IT shop or a harried sysadmin coping with multiple remote users.

Eli Security Appliance

Trust Eli Inc.

www.TrustEli.com

$199.99 with additional monthly fees depending on number of users (starting at $10 per month for the five-user version).

SafeOffice 500 DSL

SofaWare/Check Point Software Technologies Ltd.

www.sofaware.com

Prices vary: $299 for the wired, non-DSL version; $549 for the wireless DSL version for five users. There is also pricing for 25 users and unlimited users: the price range for unlimited users is $999 to $1,249. There are also fees for annual support contracts of $179 for five users to $449 for an unlimited number of users, this includes antivirus and firmware updates.

David Strom is a St. Louis-based freelance writer, speaker, consultant, podcaster and former editor in chief at Tom's Hardware.com and Network Computing. He can be reached at david@strom.com.

5 power user tips for Microsoft OneNote
  
Shop Tech Products at Amazon