If you want to leave Security to the Switch use 802.1x Port based Authentication with a secure Protocol.
Yes. That would help it and also stop man in the middle at least between the switch and the Hosts n. have you got experience what performance impact 802.1x has on 1GBit/s ethernet?
As i understand 802.1x you can use it to only authenticate the Client, Traffic unencrypted, which should be no real Performance Impact. (And maybe thats enough for you.)
If you want to encrypt the whole Communication, the Performance Impact on the Network itself will also be not too much harm. Performance Impact is mainly caused in KeyNegotiation, which ist normaly done every 5 Minutes for every Connection. You can set a longer Time, which will be less secure, but anyway, fare more secure as clear Text. You will need some CPU for KeyNegotiation, and little CPU for shifting and xor-ing Payload.
Just compare it as HTTP to HTTPS, but more effective due to the long term connections.
Maybe this Link helps. http://iase.disa.mil/stigs/whitepaper/802.1x_primer.doc
Thanks. Reading this document, 802.1x seems to be built exactly for this purpose.
already too late to secure protocols like NFS, which are not designed to be used on an insecure network.
This is the design flaw in the network that currently cannot be fixed. That is also why I'm coming up with the idea of marking the packets.
If you have control over Client and Server, why not using AFS instead of NFS? AFS supports strong authentication and _encryption_ of transported Data.
Because we use AFS and we know abouts its security features. However, experiences show that it never has been working really reliably. Imagine that Hosts n may be several hundred machines most probably mounting more than a total of 2000 NFS shares. Even NFS3 has a problem with this sort of load. We thought about using NFS4 but other colleagues made bad experiences. The last alternative would be Samba and CIFS.
But that's all too much work.
Philipp
Nice Environment. ;-)
Yes, it is. It keeps 15 admins running. We enjoy. ;) Thank you for your time and input. Philipp --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org