Spotted the docs for using VyOS as a console server here .
Two questions,
firewall wise what would be the best methods for security in this case?
Could something like port knocking he used?
Device wise what would be some good hardware for multiple USB devices or copper RJ45 interface serial device? As a lot of console servers can do RJ45 so regular patch cables work into console ports.
Use encrypted VPN as outer layer of security and by that preferly to a different box to avoid “single point of failure” in case something bad occurs to the VyOS config itself.
For example a wireguard tunnel site-to-site in which you then use SSH to this VyOS console-server and finally login to the targetsystem over the serial link.
Then setup local firewall rules in the VyOS box, could be networkbased instead of hostbased. Just a basic from 10.0.0.0/8 to 10.0.0.0/8 (assuming your mgmt-network uses that range) will come far and by that effectively killing off any other connection attempts no matter what the TCP/UDP-port will be. That is zero management effort over time.
Most of the leakage we see these days of vulnerabilities in Fortigate, Checkpoint, PaloAlto Networks etc are mainly possible because the mgmt-interfaces are exposed towards the Internet and other publically accessible networks.
Also dont forget to configure TTL on each serialaccess, VyOS doesnt seem to currently support this through the console-server feature so this must be done on each endpoint. Point of doing this is if/when you disconnect but not logout next person who login to this console-server will be able to access the targetsystem directly without additional username/password which you probably dont want (not uncommon to use radius or similar to keep track of who were logged in to what and when and by that also who did what to which box).
Probably but I would prefer an outerlayer of a proper encrypted VPN to begin with. See above why.
You should probably get away with some USB-hub + those RJ45 to USB-cables (which also exists as DB9 to USB). Things to consider here is powerusage of each USB-serial cable but also to mount this USB-hubb so it wont put unecessary strain on the USB port itself (could be some weight if you have like 8 of those USB-serialcables hanging of a USB-hubb).
Another thing to consider is to locate a USB-serial cable that have micro-USB and/or USB-C on the other end which seems to getting more common lately as the serial interface of other routers/switches/firewalls.
Would also be of interrest if you locate hardware in this segment which isnt made in China which just about +90% seems to be these days.
And finally question is if this is worth it - I mean pricewise of having a PC with lets say 2 NICs, 2 PSUs, 4 (or how many might be needed) USB-hubs and then like 16 or more of these USB-serial cables vs. just getting a serial console server from lets say Aten who have all this builtin into one device and all you need is TP-cables to connect it to the targetsystems:
There is probably some sweetspot of when using VyOS as console-server + a few USB-serialcables is cheaper than to have a SCS as above.
Console ports can be exposed via SSH (optional) thus you can use regular security on the routers SSH port and then locally connect to one of the serial ports.
From a hardware perspective I use FTTI based devices/cables.