This is a relatively raw "dump" of the notes I made when I tested a pair of LinkSys BEFSX41's prior to putting them into service. The purpose for the testing was to familiarize myself with the units in a relatively controlled environment (i.e., using a direct ethernet cable connection), to assure myself that the units would work reliably enough and to understand the performance implications of various settings. Although the tests were conducted with some rigor, I wouldn't say they were done to professional testing standards.
VPN Performance Measurements
I used an ethernet cable as the WAN connection between the BEFSX41s.
Both units were updated to firmware version 1.44, set to do Stateful Packet Inspection (SPI); i.e., the "Advanced Firewall Protection" mode was turned on, and no other filtering/forwarding/etc. was defined.
I drove testing using Helios LanTest 2.5.0 (tests large-file reads/writes over AFS, Apple's IP-based filesharing protocol) using machines that easily saturate a 100 Mbit line.
All setups use IKE and have advanced settings set with Anti-Replay and Keep-Alive turned on and only use Main Mode with both phases at 768 bit.
Following entries are nominal values for various Encryption/Authentication settings with only one test session/connection/tunnel running and no other activity:
| Encryption/Authentication Settings |
Throughput |
No VPN tunnels defined
(i.e., directly through the routers) |
7-8 MBytes/second |
| Disable/Disable |
1.4 MBytes/second |
| Disable/MD5 |
1.1 MBytes/second |
| Disable/SHA |
330 KBytes/second |
| DES/Disable |
445 KBytes/second |
| 3DES/Disable |
210 KBytes/second |
| DES/MD5 |
350 KBytes/second |
| 3DES/MD5 |
190 KBytes/second |
| DES/SHA |
200 KBytes/second |
| 3DES/SHA |
135 KBytes/second |
We've been using DES/MD5. DES is not considered to be very secure, but we have other security measures in place so feel this is adequate in the overall scheme.
In our "real life" connections, the lowest common denominator is a 512 Kbit outgoing/uplink and 1.5 Mbit incoming/downlink, we get nominal values of just under 50 KByte/sec file transfer rate between the main and branch offices. When you realize that, in such a configuration (i.e., aDSL-to-aDSL or cable modem-to-cable modem), you're limited by your uplink/slower speed since your incoming is the other site's outgoing and vice versa, these numbers make perfect sense.
Reliability
The VPN service appears to be quite reliable and we've see hardly any reconnections (and these were automatically handled by the keep-alive setting plus a regular prodding via a cron-driven ping.
As a basic switch/router/gateway ... it just seems to work reasonably well, as long as you avoid various LinkSys problems/bugs.
As a basic NAT/SPI firewall, I've run numerous security-testing tools against it and it seems to be solid (which will be the case 'till someone finds a vulnerability). At least the well-known exploits are handled, assuming a user's configuration doesn't defeat the built-in security. BTW, UPnP seems like something that will allow some application to actually do this for you ... needless to say, I've turned UPnP off and don't see a situation where I would ever turn it on. FYI, within 20 min. of having the unit installed, I had evidence of what appeared to be some serious Web/RPC/DNS vulnerability searching from sites in both "Russia" and China. Actually, web-port vulnerability searching and browser vulnerability probing is pretty much constant (good thing we don't run Windows!). Anyone who doesn't think they need a firewall simply doesn't understand.
Sad/Happy Comment
I was a SonicWALL shareholder, but just couldn't justify the 6x price for the Tele3, even though it has more features and better performance and I'd bet that it'd be even more reliable and have many fewer bugs ... but I just didn't need any more features or performance (and I can live with the bugs). These low-priced units are catching up very quickly (which makes me sad as a shareholder ... but happy as a consumer). I guess that's progress.
