I have two systems in a rack that are directly linked together with a 0.25m Cat 5e cable so they can exchange data via NFS. As you may know, plain NFS does not inherently support encryption or user authentication so the data is potentially sniffable/interceptable/accessible to third parties, but since the two systems are locked in a server room inside a locked rack the risk is considered sufficiently mitigated at the moment.
I may have a need for one of the systems to be put in a locked room+cabinet elsewhere on the LAN which means the two units will be linked via the building's data wiring (data point to data point via a patch panel link), but this means the link is no longer contained in a secure environment so I am looking for a pair of devices that will encrypt the link. I cannot use any form of s/w tunnelling or encryption as one of the systems is proprietary (it's not running an off-the-shelf OS) and there's no such app/functionality to install on it - the only link option is via NFS.
I imagine I could create a hardware VPN link using a pair of 'xDSL' routers that support such functionality and have gigabit WAN ports - this would be a cheap option, but the ones that I know have relatively slow VPN functionality (40-50Mbit/s). I have also found some multi-port 'security' devices/switches that will do the job, but the cost is looking very high and the kit is overkill for a single link.
I have considered a pair of gigabit powerline adaptors locked inside the cabinets, but distance and power phasing may mean this doesn't work. Fibre is an option too, but before I go there...
Has anyone come across a simple 'dongle-type' pair of devices - preferably gigabit speed - that can be plugged onto the ends of a cat 5e data link that will transparently encrypt the link traffic? Thanks
Why not just get 2 super cheapo small form factor linux boxes, setup an openvpn tunnel between them, and send all traffic through those boxes, splitting the nfs traffic off to go over the vpn link ? Is that an option ? This would avoid the wan port speed issue.
You may only need 1, for the proprietary end of the link, which brings the costs down even more.
Regardless of how many ports you buy, I'm pretty confident that it'll cost an absolute bomb. Anything that isn't commodity isn't going to be cheap, and this about as "non-commodity" as it gets, with the added cost multiplier of involving "security".
You could run NFSv4 with Kerberos and get strong authentication and full encryption. Assuming that you have a working Kerberos environment you'll need to set security type to
krb5pwhich will protect all of the NFS RPC calls between client and server.What is the possibility of just running a separate cat5/6 network for these servers? possibly cheaper than fiber