Secure KVM switch a good fit for government
- By John Breeden II
- Nov 06, 2013
Secure keyboard, video and mouse (KVM) switches are a type of product almost uniquely targeted towards government. Although anyone with more than one PC can make use of a KVM switch so that only one monitor and keyboard are needed to support multiple systems, only government workers are required to ensure that not even a hint of a signal can cross paths. That's because government deals with networks of different security levels, and data can't be allowed to move from one level to the other. Each computer either needs to have its own monitor, keyboard and mouse, or the KVM needs to be highly secure.
We've reviewed many secure KVM switches over the years, though they have all had either DVI or VGA video ports. One might think that the recent popularity of both DisplayPort and HDMI technology in new desktops would lead secure switch-makers to that format, especially given that most thin-client systems use one of those to save space in their tiny boxes. But both formats present unique challenges for KVM makers, one of the biggest being that the cables carry both video and sound data. So most manufacturers have stayed away despite the growing demand.
Belkin International, however, has jumped at the challenge with the DisplayPort Secure KVM Switch. We were able to test one of the first units of the new line, a four-port model that is expected to sell for around $799. We hooked it up in the GCN Lab to multiple computers and put it through its paces to see how secure the unit was overall, and how well it was able to deliver the DisplayPort video signals.
To start with, Belkin has secured the entire supply chain for the new model. The KVMs are shipped in boxes that require a user to pull open a tab to get inside. A tab that’s already pulled not only shows clear evidence of tampering, but also breaks the main support for the container, making flattening it out for recycling or disposal a much easier task. Should the unit itself actually be opened, it will cease to operate, so the special shipping box is just another layer of security to ensure peace of mind. And all of the chips are soldered in place so that removing them would also render the device inoperable. It’s easy to see why the unit recently was certified to EAL level 4+.
We hooked up four systems to the unit and noticed was that our keyboard lights no longer worked. That is because inside the switch there are optical data diodes that allow data only to flow in one direction over each channel. For something like the CapsLock key to illuminate, information needs to be sent to the keyboard from the computer, but that won't happen with this secure KVM because the diode prevents it from happening. Users can rest assured that no data can dribble from a secure to an open system because of a keyboard buffer.
Additionally, only certain devices are allowed to connect to the KVM, namely those that are used for input, like a keyboard or a mouse. If you try to attach a camera or a microphone, they simply won't work. The only exception to the rule that was put in place for government workers is that you can add a CAC reader. But even then, the CAC reader is restricted to being used only as a read-only device.
There is no microphone port on the switch, as Luis Artiz, director of product management of the Business Division of Belkin International, has identified that as a vulnerability. He even wrote a paper for GCN about how dangerous having a microphone in a secure system can be, so there is no way he wanted one on his company's secure KVM.
But that brings up the issue that this is one of the first secure DisplayPort KVMs on the market. And DisplayPorts carry sound data. Belkin secured this by dividing up the signal into paths for video, sound and peripheral data, with each of the four channels having their own processor and emulator. No data could ever cross to another channel because each one only allows one-way communication within its own environment.
We hooked up a monitor that had speakers to the secure KVM, and worked well, since a speaker does not violate the one-way communication rule. But when we tried to attach an admittedly rare monitor that also contained a microphone – it was designed for teleconferencing – the main unit worked, but the microphone no longer did. So even in that case, the KVM switch would prevent any data, even sounds, from skipping from one network to the next.
The video signal itself looked great, and was able to achieve the 3,840 by 2,160 resolution supported by the DisplayPort 1.2 signal, as well as the older 1.1 signal resolutions. Everything looked crisp and clear, and video benchmark performance was unaffected by first running the signal through the KVM.
Switching from one channel to another was close to instantaneous. We have seen some KVM switches that inject a delay in the switching time, of just about a second, to allow for keyboard buffers to clear, but since the Belkin Secure KVM Switch allows only one-way communications, this wasn't necessary.
A couple of nice usability features round out the package for this KVM. The DisplayPort cable locks into place and can't be removed without first squeezing the safety bars. So it won't jiggle lose, which is sometimes a problem with DisplayPort cables. We even suspended the KVM box itself by the cables with no ill-effects, though you should probably sit it down somewhere flat if you have the space.
Also, there are lots of color-coded options for the display LEDs at the front of the unit. Government workers tend to think of their networks in terms of color classifications, and there are quite a few to choose from when setting up this KVM. Simply pop the color you want over the white LED light. Artiz said that plates with the names of common government networks, like SIPRNet and NIPRNet, should also be available when the secure DisplayPort switch officially goes on sale. That might save admins some time by not having to break out the old labeler.
Agencies that want to take advantage of the new DisplayPort cables or use something like a series of thin clients can finally secure their environment and eliminate extra monitors, keyboards and mice, not to mention quite a few cables. Now that there is a good way to secure systems using the newer video technology, there really isn't any reason not to do so.