The security industry has convinced itself that the way forward for small businesses is to adopt managed services, and consign DIY IT to the bin for good. Security is now so involved and full-on, that it is hard to see how many small companies can afford to employ someone only to carry out that function, and that function alone.

They have a point, then, but the sticky issue has always been cost. Don’t believe the reseller pitch. Managed security doesn’t necessarily come cheap, any more than managed IT comes cheap.

A US company, Eli, has just launched in the UK through partner Unipalm, selling a possible solution for companies of up to 25 users. It’s a security appliance that has been designed specifically to be managed remotely, with an annual subscription fee that doesn’t cost the earth. It claims to be able to do everything, so once it has been set up can literally be forgotten about as long as the bills are paid.

Intriguingly, Eli is also going to try and sell the idea to consumers once Unipalm has found itself a channel to do the hard work. Selling low-cost manageD services to SMEs is radical enough; selling the same idea to the computer illiterate is about as close to the word “revolutionary” as you can get without sounding drunk.

As well as site security, it can do useful and usually tricky things like VPN-to-VPN connectivity. We weren’t able to test this on the unit we got (the VPN package won’t be available until May), but his could make it worth considering on its own. Eli claims that a site-to-site connection for a distributed organization can be set up in five minutes, considerably less than would normally be required. The VPN can be set up between Eli boxes, or to any IPSec compatible equipment.

The Eli comes out of its box looking like a bulkier version of the wireless routers you can find in any PC World outlet. Dressed in sliver and black plastic, it features an integrated ADSL2 modem, a 4-port 10/100 switch, and an 802.11b/g wireless access point with a single aerial. About the only elements that mark it out are that it has a built-in print server, a tiny switch to configure it to use an external modem/router, and – rivals pay attention please – an ON/OFF switch.

Log into the Eli itself and the sparseness of the interface makes clear its managed design. Other than the ISP setup utility, there is little more to hand than logging and status information. With the ISP connection up, the Eli gateway connects to a remote server, downloading any recent software updates. This can take a few minutes, and can't be interrupted for any reason.

The security itself is configured on the Eli website, after an account has been activated. All the security components you’d expect are configured here; anti-virus, anti-spam, anti-phishing, content filtering (from Blue Coat), wireless security, application-specific controls, and firewall policies. It’s all very simple to grasp, and the application controls (which would stop gaming and IM for instance) work well, though there is nothing to lock down an errant VoIP program.

Once security policies have been configured as desired, all subsequent software updates for elements such as anti-virus happen transparently and without the customer having to intervene, up to four times a day, or 12 times a day for content filtering. The Eli does respectably well for wireless security, supporting up to 256-bit WPA encryption as well as the now discredited 64-bit WEP. It has no support for RADIUS authentication, though this might turn up on later versions.

There are a number of issues with small network managed security that need pondering. Just because the gateway is remotely managed does not mean, for instance, that client security can be ignored, and nor would Eli claim that it does. It is still essential to install anti-virus on clients, not least because some of them - laptops for instance – will travel away from the Eli and connect through other gateways.

The Eli is a way of taking some of the work out of security – it is not a complete replacement for all other defences. Bear in mind that SME customers are allowed up to five policy changes per month as part of their subscription package. This is a liveable restriction as they shouldn’t need changing more often than that anyway.

Is the box itself up to the sort of traffic demands that might be thrown at it by 25 users? That’s hard to say, though it shouldn’t become too much of a bottleneck. We’d be less convinced about the Wireless LAN, however, as that lacks any of the MIMO (multi-in, multi-out) radio range extension now common on rivals, and it obviously designed for undemanding “informal” setups. Unless you really need it, it might be worth simply turning the WLAN feature off.

The Eli is, in case you haven’t spotted it, really a sort of low-end Unified Threat Management (UTM) box. Where it differs subtly from most of its rivals is that it is not simply an appliance that can be connected to and remotely configured – the configuration process happens remotely too. This has the advantage that the device itself is less of a security weak point, at least in theory. Updates come automatically so don’t need to be fretted over, and firmware updating is also automatic.

The Eli VPN feature will be launched in May, but we understand it won't cost extra. Overall, as a way of layering a decent level of security for a small office of offsite branch, and doing so at low cost, the Eli looks highly attractive. It’s not foolproof – you’ll still need a client layer of software security – but it is highly innovative. Now if only the rest of the industry would catch up.


It is difficult to generalise about all-in-one security appliances. How much security comes as standard, and how much comes as extra for a separate fee? How upgradeable is it? What size of network does it support? Can it maintain throughput for users even when all modules are loaded? And what does this all cost if it is offered in a managed form?