Secure Desktop KVM Switch Update. Keep classified information classified.

Similar documents
CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 7

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 6

Recommended Best Practices for the Design of Secure Multi-Domain KVM and Video Routing Systems

BELKIN BUSINESS INTRODUCTION

Frontiers in Cyber Security: Beyond the OS

CIS 551 / TCOM 401 Computer and Network Security

Meeting Cyber Security Challenges

Common Access Card Application

Juniper Networks Secure

Microsemi Security Center of Excellence

PROCESS AUTOMATION. OPERATING AND MONITORING IN HAzARDOUS AREAS AND INDUSTRIAL ENVIRONMENTS PRODUCT OVERVIEW

Protecting your information

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE

GOVERNMENT & MILITARY

Who is Watching You? Video Conferencing Security

IT Compliance Volume II

Computer Literacy. Hardware & Software Classification

Security Principles. Related to. Handset Theft

QUESTIONS & ANSWERS. ItB tender 72-09: IT Equipment. Elections Project

Smart Card Deployment in the Data Center: Best Practices for Integrating Smart Card Authentication in a Secure KVM Environment

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Securing Computing Resources from USB Borne Viruses and Malware. White Paper

HC Emission Protected Security Workstation

Intelligent Solutions for the Highest IT Security Requirements

Legislative Council Panel on Information Technology and Broadcasting. Information Security

Bristol ControlWave Redundant Control

Figure 1. Front and Back of a Computer Case

Data Security Concerns for the Electric Grid

Reference Guide for Security in Networks

HANDBOOK 8 NETWORK SECURITY Version 1.0

Department of Defense INSTRUCTION. SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Improvements Needed With Host-Based Intrusion Detection Systems

Securing OS Legacy Systems Alexander Rau

1000-Channel IP System Architecture for DSS

How To Manage A System Vulnerability Management Program

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik

Server Based Desktop Virtualization with Mobile Thin Clients

Confinement Problem. The confinement problem Isolating entities. Example Problem. Server balances bank accounts for clients Server security issues:

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

PC & EMBEDDED CONTROL TRENDS

WHITE PAPER. Enterprise Wireless LAN Security

USB 3.0* Radio Frequency Interference Impact on 2.4 GHz Wireless Devices

Security Solutions. Concerned about information security? You should be!

New Mexico Broadband Program. Basic Computer Skills. Module 1 Types of Personal Computers Computer Hardware and Software

TEST CHAPTERS 1 & 2 OPERATING SYSTEMS

Windows 7 for beginners

The EVA Solution to Physical Security

Deliver instant switching in four different modes for data center, control room, pooling, and similar applications.

Cyber Threats in Physical Security Understanding and Mitigating the Risk

Information Technology Cyber Security Policy

SYSTEMS SECURITY ENGINEERING

Security Threats on National Defense ICT based on IoT

Endpoint protection for physical and virtual desktops

3M Cogent, Inc. White Paper. Beyond. Wiegand: Access Control. in the 21st Century. a 3M Company

IP Link Best Practices for Network Integration and Security. Introduction...2. Passwords...4 ACL...5 VLAN...6. Protocols...6. Conclusion...

PU-USBX. USB over Ethernet Extender OPERATION MANUAL

Directives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities

Delivers instant switching in four different modes for data center, control room, pooling and similar applications.

Hardware Requirements

Data Loss Prevention Program

Thin Client Total Cost of Ownership & ACP ThinManager Enterprise Software Advantages. White Paper

SMART Board 8055i and 8055i-SMP

What is Really Needed to Secure the Internet of Things?

Security for Videoconferencing. A guide to understanding, planning, and implementing secure compliant ISDN & IP videoconferencing solutions

TOP 3 STRATEGIES TO REDUCE RISK IN AUTOMOTIVE/IN-VEHICLE SOFTWARE DEVELOPMENT

Best Practices for DanPac Express Cyber Security

SCADA SYSTEMS AND SECURITY WHITEPAPER

Outline. IT Security: General Trends and Research Directions. Technical Attacks. Typical attack. Automated attacks via Worms, Trojans, & Viruses

12 FAM 650 ACQUISITION SECURITY REQUIREMENTS FOR OPERATING SYSTEMS AND SUBSYSTEM COMPONENTS

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Computer Hardware HARDWARE. Computer Hardware. Mainboard (Motherboard) Instructor Özgür ZEYDAN

Windows Embedded Security and Surveillance Solutions

Computer Performance. Topic 3. Contents. Prerequisite knowledge Before studying this topic you should be able to:

Dual DVI USB KVM Switch

CYBER SECURITY. Novel Approaches for Security in Building Automation Systems. J. Kaur, C. Herdin, J. Tonejc, S. Wendzel, M. Meier, and S.

How to Install a Motherboard

BLACK BOX Scalable matrix KVM switch supports up to 1024 ports with fiber or copper cable.

On Security Evaluation Testing

Side Channel Analysis and Embedded Systems Impact and Countermeasures

Pano Device. Data Sheet. How It Works: Key Benefits:

Common Criteria Evaluations for the Biometrics Industry

Does it state the management commitment and set out the organizational approach to managing information security?

A Cost-efficient Building Automation Security Testbed for Educational Purposes

SMART Board 8070i-SMP and 8070i

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Endpoint protection for physical and virtual desktops

4. Objective. To provide guidelines for IS requirements and LCM support under NMCI.

DVI KVM Switches DP-MUX 7.4

Navigate Your Way to NERC Compliance

The Virtualization Practice

CryptoFirewall Technology Introduction

Intelligent Solutions for the Highest IT Security Demands

The evolution of data connectivity

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

UNCLASSIFIED (U) U.S. Department of State Foreign Affairs Manual Volume 5 Information Management 5 FAM 870 NETWORKS

Security Implications Associated with Mass Notification Systems

Transcription:

Secure Desktop KVM Switch Update Keep classified information classified.

Introduction Until recently, the National Information Assurance Partnership (NIAP) used Common Criteria Evaluation & Validation Scheme (CCEVS) to evaluate and approve KVM switches for security. EAL2 and EAL4+ are tests regarding the process of the design, testing, verification, and shipping of security products. This protection profile is an international standardized process for information technology security evaluation, validation, and certification. NIAPhas determined that EAL and CCEVS are no longer adequate security standards for KVM switches that connect to systems with differing security classifications. As a result, they upgraded the Protection Profile (PP) for peripheral sharing switches to PPS 3.0. Still, the next generation of secure switches are going to need to be TEMPEST-approved for the tightest security measures available. Desktop KVM Switches A desktop KVM switch, at its most basic, is simply a hardware device that enables one workstation consisting of a keyboard, video monitor, and mouse to control more than one CPU. Desktop KVM switches are usually 2- or 4-port switches, and by pushing a button or using keystrokes, users can easily access information and applications on completely separate systems. KVM technology provides monitoring solutions for automation, processes, and workflow. It gives users improved operability and a quick return on investment due to better workplace ergonomics and productivity. KVM switches enable users to save space by reducing interface devices; save costs by eliminating redundant peripherals. Use of KVM devices reduces heat in a work area, and saves power. Secure Desktop KVM Secure KVM switches fill a special need in desktop switching for users, such as those in law enforcement, military, or security, who need to access information stored at different classification levels on physically separate systems. Government agency systems that could include classified information SIPRNet Secure Internet Protocol Router Network is a system of connected computer networks used by the U.S. Department of Defense (DoD) and the U.S. Department of State to transmit classified information. 1 GWAN Government Wide Area Network NSANET The Intranet system of the National Security Agency of the United States. JWICS Joint Worldwide Intelligence Communications System Site TS/SI/TK/B Ops Net Top Secret, Signal Intelligence, Talent Keyhole, Background NIPRNET Nonsecure Internet Protocol Router Network is used to exchange sensitive but unclassified information between internal users as well as providing access to the Internet. 2 1. http://en.wikipedia.org/wiki/siprnet 2. http://en.wikipedia.org/wiki/niprnet Agency Systems / Classified information 2

In the past, to ensure security, in government or military applications, KVM systems were disregarded. Computers with different security classifications each had their own keyboard, monitor, and mouse. With the advent of specially constructed KVM switches, secure KVM became a viable technology solution. A secure KVM switch is a 2- or 4-port desktop switch that provides control and separation of PCs connected to networks of differing security classifications. Security Issues Microprocessor malfunction or unanticipated software bugs cause data to flow between ports. Timing analysis attacks, which means a snooper looking at what happens on one port to determine data flow patterns on another. Malicious modification of microprocessor software causing data to leak between ports. Through isolated ports, permanent hard-wiring, and other types of hardware features, security issues are eliminated. Security Solutions Secure desktop KVM switches mitigate these threats by adhering in their design to strict standards for data separation. 3 Unidirectional data flow is enforced by hardware data diodes so data isolation doesn t rely on software integrity. Only one computer is connected at a time to any shared circuitry. Links are unidirectional, preventing timing analysis. Security Issues / Solutions Subversive snooping by detecting electromagnetic radiation emitted from the equipment. Detection of signals on one computer by monitoring for crosstalk (leakage) signals on another computer. Signaling by shorting the power supply or loading the power. Data transfer by means of common storage or common RAM. Physically tampering with the switch. Microprocessors are one-time programmable and soldered on the board. Data isolation does not rely on software; it is ensured by hardware. Carefully shielded metal case with dual shielding in critical areas and a low emissions profile. Each port is independently powered by its USB port. Shorting the power supply on one port will not cause the power on the other ports to be switched off. Shared circuitry and the keyboard and mouse are powered down at each switchover to clear all volatile memory of any previous connections. The switch is designed with tamper-proof seals to be fitted over the countersunk screws. 3

Changes to Authority for Validation New rules pending Think of it as having air bags in a vehicle. The airbags ensure safety in the case of a crash, but don t stop a car from being stolen. Similarly, EAL certification, while ensuring some level of internal security, did not stop certain attacks from external sources. NIAP-approved secure KVM switches until very recently used a validation system known as Common Criteria (CC). The NIAP CC Evaluation and Validation Scheme (CCEVS) is managed and staffed by the National Security Association (NSA). The focus of CCEVS is to establish a national program for the evaluation of information technology products to the International CC for Information Technology Security Evaluation. Definition of TEMPEST TEMPEST testing, while classified, is regarded a process that assesses the port-to-port isolation required for certain KVM switches. A TEMPEST approval means the necessary isolation is achieved and qualified. Additionally the threat of data linking by various covert electromagnetic eavesdropping mechanisms have been evaluated and found to be secure. The TEMPEST designation is often required by military organizations. TEMPEST, as a security standard, pertains to technical security countermeasures, standards, and instrumentation that prevent or minimize the exploitation of vulnerable data communications equipment by technical surveillance or eavesdropping. A full suite of protections should include: Software security Physical security Common Access Card (CAC) support Port separation Memory buffers True KVM functionality Common Criteria (CC) Validation Process no longer considered rigorous enough to protect against hacking and data leaks. C The former standard approved by NIAP was only effective for CPUs connected to multiple networks of the same level or classification, for example for SIPRNET to SIPRNET (that is, secure networks to secure networks). Keyboard and mouse devices can only be enumerated at the keyboard and mouse ports. Devices such as flash drives, mass storage units, or cameras any device that could potentially capture data will be rendered useless if connected to a USB port on a secure KVM switch. Port isolation facilitates RED/BLACK data separation. Channel-to-channel >60-dB or >80-dB crosstalk isolation protects against signal snooping, so software tools and applications cannot be used to access any connected computer from another connected computer. Data isolation through hardware makes it impossible for the computer to send data along the keyboard and mouse signaling channels. Unidirectional data flow like this prevents the K/M interfaces from becoming convert computer-to-computer signaling channels from software holes or unanticipated bugs. Memory is automatically cleared after data is transmitted through the KVM switch. No residual data is ever left in the device. Common Criteria / Tempest 4

Conclusion The security situation confronting the United States has changed drastically in two decades. In order to enhance their assurance, U.S. agencies should ensure the products they choose fit the highest security profile available, and potentially exceed those requirements. While this white paper focuses on government and military applications for secure desktop KVM switching, cyber attacks can happen to any institution. Security is vital to data at universities, research and development departments, the energy sector, and larger corporations as well. Any organization that values its data yet recognizes that users need access to the wider Internet would do well to consider their KVM switching options. Choosing a secure KVM switch requires more than comparing features and looking for an EAL validation. Different devices rated EAL2 or EAL4+ can vary widely in functionality, and may not provide the degree of security available for switching between systems with different security classifications. Only a full and careful evaluation of the full set of specifications detailed in a Validation Report plus additional protections can ensure a product meets the needs of the qualifying agency. About Black Box # of Ports DVI VGA TEMPEST EAL Part # 2 via adapter SW2007A-USB 4 via adapter SW4007A-USB 2 Level 1 SW2006A-USB-EAL 4 Level 1 SW4006A-USB-EAL 2 via adapter SW2008A-USB-EAL 4 via adapter SW4008A-USB-EAL Copyright 2015. All rights reserved. Black Box and the Double Diamond logo are registered trademarks of BB Technologies, Inc. Any third-party trademarks appearing in this white paper are acknowledged to be the property of their respective owners. WP00079-Secure KVM_v1 (B) 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information