KVM Matrix are in common use in certain applications that requires large number of users to interact with large number of computers. Applications such as Command and Control centers, Air Traffic Control, Marine control, Broadcasting, NOC (Network Operating Centers) and emergency services are examples for such applications. KVM Matrix enables dynamic switching of computer resources to users to support the dynamic needs of each user and to enable recovery from different scales of failures. In the past KVM Matrix used analog data switching. As analog signals are prone to quality degradation and limited in bandwidth, today most KVM Matrix switches digital signals. Switching digital signals can make use of proprietary serial digital protocols or may rely on standard IP (Internet Protocol) frames to carry the different computer interface signals. The use of high-speed CATX cables optical fibers in KVM Matrix systems enables co-location of the computer resources from the users. This setup enables more scalable and control deployment of computers and easier deployment of users over large sites. Another reason for such co-location is the heat and the noise generated by modern computers and the lack of space near the users.
KVM Matrix are typically controlled by their users that request access certain computing resources based on directory services (for example Microsoft Active Directory) through specific keyboard switching commands that detected by the KVM Matrix. Larger KVM Matrix may have specific users called directors, administrators or managers that controls the whole site.
KVM Matrix host transmitters or adaptors typically digitized the computer generated video and audio. As the resolutions and color depth of video is ever increasing, faster than KVM Matrix fabric bandwidth, video compression—decompression is used. KVM Matrix receivers or console adaptors are used to decompress the video and audio streams and generate standard video and analog audio output to drive the user display and speakers or headphones. Matrix receivers or console adaptors also digitize the user microphone audio input and the user keyboard and mouse commands. The resulted serial stream is routed back to the KVM Matrix host transmitters or adaptors to interface with the corresponding computer.
In February 2015 NIAP (the US National Information Assurance Partnership) has released a new standard for KVM Switches and Matrix called: “Protection Profile for Peripheral Sharing Switch Version 3.0”. This standard adopted by the Common Criteria organization, offered a way to evaluate and test existing or new products to assure mitigation against the discovered types of data leakages. Since this standard released, no vendor was able to certify its existing product against this new standard as prior-art products are lacking some of the basic security mechanisms required by the standard.
IHSE GmbH, Maybachstraße 11, 88094 Oberteuringen, Germany, is a leading European developer and manufacturer of advanced KVM devices, IHSE develops and manufactures switches for operating and switching between computers and consoles, as well as extenders for visually lossless signal transmission, with 30 years of experience.
Some details of their products may be found in the IHSE Product Catalog 2015-2016, available from “www.ihse.com/fileadmin/redakteur/pdf/IHSE_Product_Catalog_2015-2016.pdf”.
In particular, page 9 discuss security challenges in KVM Matrix systems
U.S. Government Approved Protection Profile—Protection Profile for Peripheral Sharing Switch Version 3.0” is available from “www.niap-ccevs.org/Profile/Info.cfm?id=368”.
“High Security Labs Secure KVM and Matrix Security Target”, see: “www.niap-ccevs.org/st/st_vid10701-st.pdf”. Aten is a leading Asian developer and manufacturer of KVM Matrix systems. ATEN “Application Guide—Matrix KVM Solution for Network Operating Center (NOC)” discloses the company view of various characteristics (including security) of their KVM matrix products. See: “www.atencom/ext_data/global_en/application_note/AG_Matrix_NOC.pdf”
Thinklogical is a leading US developer and manufacturer of KVM Matrix systems. Thinklogical Press Release “Thinklogical Achieves Common Criteria Accreditation for Fiber-Optic KVM Matrix Switches” discloses the evaluation process of the prior-art KVM Matrix systems made by the company against the now obsolete Peripheral Sharing Switch Protection Profile. Published documents such as the Security Target of this evaluation discloses the prior-art set of threats and security features used by Thinklogical. In another document from the same company: Thinklogical White Paper “Recommended Best Practices for the Design of Secure Multi-Domain KVM and Video Routing Systems”, the company discloses its view of KVM Matrix security threats and their mitigation offered by the different company products. See: “www.appliedelectronics.com/documents/Best_Practices_KVM_Video_Routing_Secure_Facilities_White_Paper.pdf”.
Thinklogical document “KVM Matrix Switch Routers Product Manual covering the following models: VX40, VX80, VX160, VX320, VX320VIDEO & VX320AUDIO” provides technical information about prior-art KVM Matrix products offered by the company.
Thinklogical document “Thinklogical VX640 Router KVM Matrix Switch Security Target Document Version 1.4” discloses the VX640 KVM Matrix system sets security assumptions and security functions based on the now obsolete Peripheral Sharing Switch Protection Profile version 2.1. See: “sertit.no/dokumenter/201311/ThinklogicalSecurityTarget_1_4_VX640.pdf”