1

I have two systems in a rack that are directly linked together with a 0.25m Cat 5e cable so they can exchange data via NFS. As you may know, plain NFS does not inherently support encryption or user authentication so the data is potentially sniffable/interceptable/accessible to third parties, but since the two systems are locked in a server room inside a locked rack the risk is considered sufficiently mitigated at the moment.

I may have a need for one of the systems to be put in a locked room+cabinet elsewhere on the LAN which means the two units will be linked via the building's data wiring (data point to data point via a patch panel link), but this means the link is no longer contained in a secure environment so I am looking for a pair of devices that will encrypt the link. I cannot use any form of s/w tunnelling or encryption as one of the systems is proprietary (it's not running an off-the-shelf OS) and there's no such app/functionality to install on it - the only link option is via NFS.

I imagine I could create a hardware VPN link using a pair of 'xDSL' routers that support such functionality and have gigabit WAN ports - this would be a cheap option, but the ones that I know have relatively slow VPN functionality (40-50Mbit/s). I have also found some multi-port 'security' devices/switches that will do the job, but the cost is looking very high and the kit is overkill for a single link.

I have considered a pair of gigabit powerline adaptors locked inside the cabinets, but distance and power phasing may mean this doesn't work. Fibre is an option too, but before I go there...

Has anyone come across a simple 'dongle-type' pair of devices - preferably gigabit speed - that can be plugged onto the ends of a cat 5e data link that will transparently encrypt the link traffic? Thanks

Linker3000
  • 668
  • 1
  • 5
  • 14

4 Answers4

3

Why not just get 2 super cheapo small form factor linux boxes, setup an openvpn tunnel between them, and send all traffic through those boxes, splitting the nfs traffic off to go over the vpn link ? Is that an option ? This would avoid the wan port speed issue.

You may only need 1, for the proprietary end of the link, which brings the costs down even more.

Sirex
  • 5,499
  • 2
  • 33
  • 54
  • Hi @Sirex - Yes, it's certainly an option; and as you say only one would be needed. It's not as 'dongly' as I'd prefer but at the end of the day it's doable and probably cheaper than a specialist security device. Good thinking. – Linker3000 Aug 18 '11 at 10:06
  • Definitely the route to go given the constraints (but you may only need an additional device in front of the propietary box). IIRC openvpn uses tunnelling protocols - you'll get better performance from IPSEC if you can be bothered with the hassle of managing it. – symcbean Aug 18 '11 at 10:14
  • It's not hugely "dongly", but i was thinking something like an acer veriton (http://cdn.ubergizmo.com/photos/2009/8/acer-veriton.jpg) which is fairly "donglified". You may even be able to zip-tie it to the inside of the rack cabinet – Sirex Aug 18 '11 at 10:21
  • @Sirex Yep, I've got a Veriton at home - nice design. We also have some HP Proliant microservers running as routers elsewhere - a bit bigger than a veriton but good performance – Linker3000 Aug 18 '11 at 11:15
  • If you go this route, you may want to look at fanless, mostly solid state, rugged systems, e.g., http://www.logicsupply.com/. No need to have the network go out because you have a spinning drive stop spinning. – cjc Aug 18 '11 at 12:08
  • @cjc Yep, the Microservers acting as routers boot Alpine Linux from USB stick. Boot time's about 10 sec. http://alpinelinux.org/ – Linker3000 Aug 18 '11 at 12:19
0

Regardless of how many ports you buy, I'm pretty confident that it'll cost an absolute bomb. Anything that isn't commodity isn't going to be cheap, and this about as "non-commodity" as it gets, with the added cost multiplier of involving "security".

womble
  • 96,255
  • 29
  • 175
  • 230
0

You could run NFSv4 with Kerberos and get strong authentication and full encryption. Assuming that you have a working Kerberos environment you'll need to set security type to krb5p which will protect all of the NFS RPC calls between client and server.

pfo
  • 5,700
  • 24
  • 36
0

What is the possibility of just running a separate cat5/6 network for these servers? possibly cheaper than fiber

tkrabec
  • 300
  • 1
  • 8
  • Zero possibility as the wire will be outside of a secure environment and so a security risk - unless we do something like put it in copper piping and monitor continuity - but it could still be 'got at' by a determined person. – Linker3000 Aug 18 '11 at 16:18