Security Basics mailing list archives
Re: KVMs
From: Crispin.Harris () didata com au
Date: Fri, 25 Feb 2005 09:48:40 +0800
(Resent to the list due to issues with HTML Formatting (my bad))
From: Tim Watkins <watkinstj () iimef usmc mil> [mailto:Tim Watkins
<watkinstj () iimef usmc mil>]
Sent: Thursday, 17 February 2005 11:04 AM
To: security-basics () securityfocus com
Subject: KVMs
Had a quick question...
I have some users that want to use KVMs to switch between computers on 3
different / separate networks.
Are there any known security concerns about having networks set up this
way? This really depends on the type of KVM you are talking about. Switch-KVM - Where the switch connects to each console, and has a physical cable (non-networked) running to a Keyboard/Video/Mouse. IP-KVM - where the Switch connects to each console, and is then accessed over the network The first type (Switch-KVM) is the traditional KVM switch, and was first implemented with simple "twist the dial" switch boxes. They are now electronic, key-stroke controlled, Resolution aware, USB/PS-2 converting intelligent pieces of physically connected kit. These devices are safe in Restricted and Secret environments (don't quote me - I have no military standing do justify this statement, but they do comply with my understanding of Orange/Red Book requirements). The IP-KVM is a whole different beast. These devices are analogous to Serial Console servers, modem banks and other shared networking systems. An IP-KVM allows a knowledgeable user to connect to a system console over the IP network using one (or more) of a variety of protocols - including (depending on the type of IP-KVM used) HTTP, HTTPS, HTTP/Java, RDP, ISA, VNC and PCAnywhere. The IP-KVM may (or may not) implement additional security, encryption or authentication beyond that offered by the underlying Remote Terminal protocol. In a military environment, IP-KVM would almost certainly constitute a forbidden zone bridge, as a single device would be present in multiple zones, unless the network interface of the IP-KVM resided in a zone that has rights to see information in all the other zones. This is the network equivalent of the restrictions on physical placement of workstations - i.e. If the computer holds classified information, the console (and access) to that computer must reside in a location of equal or greater classification. I hope that this helps. Crispin. P.S. I would be recommending that the individual use a (relatively) cheap commercial Switch-KVM such as the Belkin OmniView, the LinkSys ProConnect, D-Link DKVM to name a few.
I am thinking that if I can remote into the machine that touches the
cloud, I would be able to then by pass security and use that machine to remote into the private network.
Any thoughts?
Tim
****************************************************************************** - NOTICE FROM DIMENSION DATA AUSTRALIA This message is confidential, and may contain proprietary or legally privileged information. If you have received this email in error, please notify the sender and delete it immediately. Internet communications are not secure. You should scan this message and any attachments for viruses. Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachments. ******************************************************************************
Current thread:
- Re: KVMs Crispin . Harris (Feb 28)