Author: Vikki Lipset
Review Date: 10/17/2002


Model Number: BEFSX41 ($119)

Fueled by the demand for secure telecommuting, Virtual Private Network (VPN) features are appearing in many low-cost routers. Linksys’ latest offering–the BEFSX41–packs a VPN endpoint, a Stateful Packet Inspection (SPI) firewall and a host of other security features into an easy-to-use, affordable package.


  • SPI firewall
  • Supports up to two IPsec tunnels
  • URL and time filtering


  • Time-based access control can’t be limited to specific ports
  • Can’t e-mail alerts of unauthorized access attempts
  • Doesn’t include printed manual


The BEFSX41 is a four-port 10/100 switch that allows you to share a high-speed Internet connection among all the computers on your network. The four ports on the rear of the device automatically detect 10BaseT or 10/100 connections, and are auto-sensing for whether they are straight-through or cross-over cables.


Unfortunately, Linksys doesn’t include a printed manual, but they do provide a Fast Start poster that gives simple and clear instructions for connecting the router and configuring it and your PCs. I had my network up and running in minutes. You’ll find a PDF version of the user’s guide on the CD that comes in the box, along with a Router Setup Wizard. The CD sleeve instructs you to run the Wizard before you hook up the router, but I found it easy enough to set everything up by following the directions in the Fast Start poster. (Mac users won’t have a choice, since the Wizard only works with Windows.)

The BEFSX41 supports Universal Plug and Play (UPnP), so systems running Windows XP should be able to identify and configure the router automatically.


The router’s controls are configured through your Web browser. Once you log on, you’ll find tabs to set up a firewall, VPN, filters, forwarding, and logs.


The BEFSX41’s URL filtering feature allows you to block access to Web sites using either URL keywords or file extensions. The router can also block any proxy server contact, Java and ActiveX, and a time filtering option allows you to prevent outgoing or incoming traffic at specified times. It’s too bad that you can’t limit the time filter to specific ports, though. (The Web and time filters are configured from the Firewall tab and are only available when Advanced Firewall Protection is enabled.)

Port filtering is configured from the Filters tab. From here, you can create up to 20 filters to restrict specific users’ incoming or outgoing access; you can deny or allow services for up to five MAC addresses and one IP address (or range of addresses). This is also where you’ll activate the router’s remote access (specify the port you want to use for this) and remote upgrade features.


The BEFSX41 supports Stateful Packet Inspection (SPI), which automatically detects denial-of-service (DoS) attacks. You can also set the router to ignore pings from the Internet (Block WAN Request on the Filters tab). The BEFSX41 held its own against several online port scans and other security checks; my tests found no open ports or other network vulnerabilities.

A firewall log tracks any suspect activity, including intrusion attempts and internal attempts to access blocked sites. The router can also keep system, access and VPN logs (you must enable the log feature first, however); you can either view them online, or with the free LogViewer software, which you can download from Linksys. If you opt for the latter, you can enter the IP address of the PC running the software and the router will send updated logs to that computer. Unfortunately, the BEFSX41 lacks the ability to e-mail alerts of unauthorized access attempts.

The router functions as a VPN endpoint; you can define up to two IPSec tunnels. Once you have configured a tunnel, you can hit Connect to use it, and then click the Summary button to determine if the connection was successful. The Keep-Alive feature (in the Advanced Settings) automatically reestablishes dropped connections.


The Linksys BEFSX41’s simple setup and extensive feature set makes it a good choice for anyone who needs a secure connection to a remote network. And with a street price hovering around $80, it’s a great value, too.