Re: KVMs

[Crispin.Harris () didata com au]

(Resent to the list due to issues with HTML Formatting (my bad))



> From: Tim Watkins <watkinstj () iimef usmc mil> [mailto:Tim Watkins
<watkinstj () iimef usmc mil>]

> Sent: Thursday, 17 February 2005 11:04 AM

> To: security-basics () securityfocus com

> Subject: KVMs

>

> Had a quick question...

>

> I have some users that want to use KVMs to switch between computers on 3
different / separate networks.

>

> Are there any known security concerns about having networks set up this
way?



This really depends on the type of KVM you are talking about.



Switch-KVM - Where the switch connects to each console, and has a physical
cable (non-networked) running to a Keyboard/Video/Mouse.

IP-KVM - where the Switch connects to each console, and is then accessed
over the network



The first type (Switch-KVM) is the traditional KVM switch, and was first
implemented with simple "twist the dial" switch boxes. They are now
electronic, key-stroke controlled, Resolution aware, USB/PS-2 converting
intelligent pieces of physically connected kit.



These devices are safe in Restricted and Secret environments (don't quote
me - I have no military standing do justify this statement, but they do
comply with my understanding of Orange/Red Book requirements).



The IP-KVM is a whole different beast. These devices are analogous to
Serial Console servers, modem banks and other shared networking systems.

An IP-KVM allows a knowledgeable user to connect to a system console over
the IP network using one (or more) of a variety of protocols - including
(depending on the type of IP-KVM used) HTTP, HTTPS, HTTP/Java, RDP, ISA,
VNC and PCAnywhere. The IP-KVM may (or may not) implement additional
security, encryption or authentication beyond that offered by the
underlying Remote Terminal protocol.



In a military environment, IP-KVM would almost certainly constitute a
forbidden zone bridge, as a single device would be present in multiple
zones, unless the network interface of the IP-KVM resided in a zone that
has rights to see information in all the other zones.



This is the network equivalent of the restrictions on physical placement of
workstations - i.e. If the computer holds classified information, the
console (and access) to that computer must reside in a location of equal or
greater classification.



I hope that this helps.



Crispin.



P.S. I would be recommending that the individual use a (relatively) cheap
commercial Switch-KVM such as the Belkin OmniView, the LinkSys ProConnect,
D-Link DKVM to name a few.





>

> I am thinking that if I can remote into the machine that touches the
cloud, I would be able to then by pass security and use that machine to
remote into the private network.

>

> Any thoughts?

>

> Tim






******************************************************************************
 - NOTICE FROM DIMENSION DATA AUSTRALIA
This message is confidential, and may contain proprietary or legally privileged information.  If you have received this 
email in error, please notify the sender and delete it immediately.

Internet communications are not secure. You should scan this message and any attachments for viruses.  Under no 
circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any 
attachments.
******************************************************************************