How to make NFS secure?

The server has no firewall

If the remote system is not secure (and an absence of any firewalling makes that decidedly suspect) then its doesn't matter what you do to your connection - you can't be confident of security. This is particularly true for an NFS server where authentication is not tied into the underlying protocol.

If you're assertions are correct (which I find astonishing) then find out who configured the server this way and block them out before they can do any more harm.

If you need access to NFS across the internet, use a VPN (IPSEC, SSL tunnel, SSH tunnel, even pptp) and BLOCK all direct internet access (other than the secure connection) on the server.

You could tunnel it through SSH.

• Here is a guide for NFS4.
• Here is a guide for NFS3.

If NFS is used on the system, please proceed via the following measures:

1. If possible only allow read-only access to your exported data (-ro)
2. Do not export the root folder / or /etc
3. Deactivate NFS, if you do not wish to export any file systems.
4. Access to NFS exports must be restricted to specified hosts
5. If zfs filesystems are present, check also their attributes do not configure them to be shared over NFS.
6. Use the -nosuid option for mounting folders, to prevent execution of setuid programs.
7. Use the –nodev option for mounting folders, to prevent the sharing of device files.

There is a nice article on linuxjournal Encrypting NFSv4 with Stunnel TLS which explains how to use stunnel to protect NFSv4 traffic.

Inspired by this publication the NFS IETF working group on RPC-over-TLS protocol, that aims to add a native TLS support to NFS protocol (and any other protocol based on ONC/Sun RPC).