Secure KVM switch a good fit for government

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By John Breeden II
 

Connecting state and local government leaders

By John Breeden II

|

Belkin's DisplayPort Secure KVM locks down sound and video channels, ensuring that no data can cross networks.

Secure keyboard, video and mouse (KVM) switches are a type of product almost uniquely targeted towards government. Although anyone with more than one PC can make use of a KVM switch so that only one monitor and keyboard are needed to support multiple systems, only government workers are required to ensure that not even a hint of a signal can cross paths. That's because government deals with networks of different security levels, and data can't be allowed to move from one level to the other. Each computer either needs to have its own monitor, keyboard and mouse, or the KVM needs to be highly secure.

We've reviewed many secure KVM switches over the years, though they have all had either DVI or VGA video ports. One might think that the recent popularity of both DisplayPort and HDMI technology in new desktops would lead  secure switch-makers to that format, especially given that most thin-client systems use one of those to save space in their tiny boxes. But both formats present unique challenges for KVM makers, one of the biggest being that the cables carry both video and sound data. So most manufacturers have stayed away despite the growing demand.

Belkin International, however, has jumped at the challenge with the DisplayPort Secure KVM Switch. We were able to test one of the first units of the new line, a four-port model that is expected to sell for around $799. We hooked it up in the GCN Lab to multiple computers and put it through its paces to see how secure the unit was overall, and how well it was able to deliver the DisplayPort video signals.

To start with, Belkin has secured the entire supply chain for the new model. The KVMs are shipped in boxes that require a user to pull open a tab to get inside. A tab that’s already pulled not only shows clear evidence of tampering, but also breaks the main support for the container, making flattening it out for recycling or disposal a much easier task. Should the unit itself actually be opened, it will cease to operate, so the special shipping box is just another layer of security to ensure peace of mind. And all of the chips are soldered in place so that removing them would also render the device inoperable. It’s easy to see why the unit recently was certified to EAL level 4+.

We hooked up four systems to the unit and noticed was that our keyboard lights no longer worked. That is because inside the switch there are optical data diodes that allow data only to flow in one direction over each channel. For something like the CapsLock key to illuminate, information needs to be sent to the keyboard from the computer, but that won't happen with this secure KVM because the diode prevents it from happening. Users can rest assured that no data can dribble from a secure to an open system because of a keyboard buffer.

Additionally, only certain devices are allowed to connect to the KVM, namely those that are used for input, like a keyboard or a mouse. If you try to attach a camera or a microphone, they simply won't work. The only exception to the rule that was put in place for government workers is that you can add a CAC reader. But even then, the CAC reader is restricted to being used only as a read-only device.

There is no microphone port on the switch, as Luis Artiz, director of product management of the Business Division of Belkin International, has identified that as a vulnerability. He even wrote a paper for GCN about how dangerous having a microphone in a secure system can be, so there is no way he wanted one on his company's secure KVM.

But that brings up the issue that this is one of the first secure DisplayPort KVMs on the market. And DisplayPorts carry sound data. Belkin secured this by dividing up the signal into paths for video, sound and peripheral data, with each of the four channels having their own processor and emulator. No data could ever cross to another channel because each one only allows one-way communication within its own environment.

We hooked up a monitor that had speakers to the secure KVM, and worked well, since a speaker does not violate the one-way communication rule. But when we tried to attach an admittedly rare monitor that also contained a microphone – it was designed for teleconferencing – the main unit worked, but the microphone no longer did. So even in that case, the KVM switch would prevent any data, even sounds, from skipping from one network to the next.

The video signal itself looked great, and was able to achieve the 3,840 by 2,160 resolution supported by the DisplayPort 1.2 signal, as well as the older 1.1 signal resolutions. Everything looked crisp and clear, and video benchmark performance was unaffected by first running the signal through the KVM.

Switching from one channel to another was close to instantaneous. We have seen some KVM switches that inject a delay in the switching time, of just about a second, to allow for keyboard buffers to clear, but since the Belkin Secure KVM Switch allows only one-way communications, this wasn't necessary.

A couple of nice usability features round out the package for this KVM. The DisplayPort cable locks into place and can't be removed without first squeezing the safety bars. So it won't jiggle lose, which is sometimes a problem with DisplayPort cables. We even suspended the KVM box itself by the cables with no ill-effects, though you should probably sit it down somewhere flat if you have the space.

Also, there are lots of color-coded options for the display LEDs at the front of the unit. Government workers tend to think of their networks in terms of color classifications, and there are quite a few to choose from when setting up this KVM. Simply pop the color you want over the white LED light. Artiz said that plates with the names of common government networks, like SIPRNet and NIPRNet, should also be available when the secure DisplayPort switch officially goes on sale. That might save admins some time by not having to break out the old labeler.

Agencies that want to take advantage of the new DisplayPort cables or use something like a series of thin clients can finally secure their environment and eliminate extra monitors, keyboards and mice, not to mention quite a few cables. Now that there is a good way to secure systems using the newer video technology, there really isn't any reason not to do so. 

NEXT STORY: Training the cyber workforce to handle new threats

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.