Computer networks in many organizations are continuously challenged by various security threats. The popularity of the internet and the availability of portable mass-storage devices introduce severe internal and external threats to most organizations. Defense and government organizations with higher security networks are forced to isolate their secure networks from other less secure networks thus creating a situation that a single organization or a single employee need to operate in several different isolated networks having different security levels. Isolation between these networks is a key concern as a small leakage of data between two networks may cause catastrophic results to the organization involved.
In the past several years many of the traditional and new isolation methods became ineffective and therefore today the physical separation between networks is growing in popularity among high security organizations. The concept of multiple highly isolated networks is gaining popularity in defense and government organizations. This concept requires either multiple user consoles or a KVM switch.
There are several disadvantages for equipping a user with multiple consoles:                Desktop space required (especially for more than 2 networks and with multiple displays for each host)        Cost of peripherals        Security issues caused by user's confusion        Lack of unified working environment—causing user inefficiencies and stress        
KVM offers an improvement compared to multiple user consoles approach. KVM enables a single set of user keyboard, mouse and display to be switched between isolated hosts. Commercial KVMs are common low-cost peripheral product available from many vendors for many years now. There are many information security risks in commercial KVMs and in the past few years these products are regarded as unsafe for high security networks.
The main information security risks in commercial KVMs are:                Proper isolation between hosts cannot be guarantied—hosts may leak to other hosts attached to same KVMs        Firmware may be tampered or replaced        Product may be tampered or completely replaced        Product may have buffers of keyboard strokes that may be used to create a leakage        Display Plug and Play channel may be abused to cause data leakages        USB ports may be used for unauthorized peripheral devices such as mass storage devices.        
In general as commercial KVM were not designed to cope with secure networks and networks isolation they are assumed to be unsafe.
It should be noted that as networks become isolated, KVMs become a target for attacks. There are several reasons for that:                KVMs are almost the only point in the IT system that isolated networks are getting close.        There are large numbers of similar KVMs—larger opportunity to attack. Better chance for success.        Products are readily available in the market and are easy to reverse engineer.        KVMs may be easier attack target compared to firewalls or crypto equipment. Attacker will always prefer the weakest link to attack.        Many organizations not fully understand the vulnerabilities of commercial KVMs.        Once a KVM had been tampered or leaked—it would be very hard to detect it. Secret information may easily leak through the internet.        
In the recent 10 years, a new class of KVMs appeared in the market—secure KVMs. These secure KVMs were designed specifically with network isolation in mind. Some of these products gained Common Criteria security accreditation to EAL-4 augmented.
Product appeared in the art, featured the following security functions compared to commercial KVMs:                Always-active anti-tampering sub-system to detect potential enclosure intrusion and deactivate the device. Most anti-tampering systems are battery powered and use a single micro-switch as a sensor.        Read only firmware residing on OTP (One Time Programming) or ROM (Read Only Memory).        Buffer reset when switching between hosts to prevent data leakage through keyboard channel.        Tamper-evident labels to indicate mechanical tampering.        Electrical isolation between host ports.        Some basic isolation in EDID (Display Plug & Play) channel        Government approval through Common Criteria or TEMPEST evaluation.        
While existing secure KVMs are better than commercial KVMs, still they are vulnerable to sophisticated attackers and becoming less effective against intruders.
The risks involved with existing secure KVMs are:                Sophisticated code changes        Tampering without activating the basic anti-tampering system        Abuse of EDID channels in creative ways to cause leakage through fast or slow switching between hosts.        Abuse of audio channels to cause leakages        
Therefore there is a need for secure KVMs that will be more robust and safe against sophisticated attacks and provide better confidence for high security organizations with the ease of use of KVM.
There is a need for a KVM that can demonstrate through careful design and analysis that even if major components in that device are being attacked and tampered, it will still keep hosts isolated. There is a need for a KVM that will assure that USB traffic will flow in a unidirectional way only between the user peripheral devices and the selected host.
Available Products
For example, CIS Secure Computing, Inc. of Dulles, Va. 20166, USA the web site “cissecure.com”, provides some secure solutions.
Referenced Patents and Applications
US Application 20050216620 A1, titled: “KVM and USB peripheral switch”; to Francisc; et al. discloses a system and method for switching KVM and peripheral interfaces between host interfaces. Provided is a KVM switch where a keyboard and a mouse are emulated at host interfaces of the KVM switch and hosts are emulated at keyboard and mouse interfaces of the KVM switch. In addition, the KVM switch provided is capable of switching, either independently or concurrently with a keyboard and mouse, additional peripherals, such as USB peripherals.
US application 20060123182; titled: “Distributed KVM and peripheral switch”; to Francisc; et al.; discloses a system and method for switching keyboard and mouse devices and video displays, as well as USB peripheral devices, between USB hosts and video sources over extended distances. Provided is a distributed KVM and peripheral switch where a USB keyboard and mouse is emulated to the host interfaces of the KVM and peripheral switch and a USB host is emulated to keyboard and mouse interfaces of the KVM and peripheral switch. In addition, the keyboard, mouse, display and peripheral devices are separated from the hosts and video sources by a non-USB communications channel.
US application 20070242062; titled: “EDID pass through via serial channel”; to: Guo; Yong; et al.; discloses techniques for passing Extended Display Identification Data (EDID) or Enhanced-EDID (E-EDID) in an uncompressed multimedia communication system including a video sink side communicatively coupled to a video source side. An EDID AVAILABLE packet is communicated via a serial backward channel from the video sink side. A REQUEST is communicated to the video sink side via a serial forward channel to indicate the video sink side can send the EDID data. The EDID data is then communicated to the video sink side via the serial backward channel.
U.S. Pat. No. 6,263,440; titled: “Tracking and protection of display monitors by reporting their identity”; to Pruett, et al.; a method, system and computer readable medium (the present invention) for reporting information related to a monitor attached to a computer which includes a system memory. The present invention includes electronically reading the information from the monitor and storing the monitor information in the system memory. The present invention further includes retrieving the monitor information from the system memory and providing the monitor information to a display via a browser. The monitor information comprises electronically readable information including its identity. One aspect of the present invention further includes comparing the monitor information with corresponding last known information, wherein a mismatch indicates that the monitor has been changed. Another aspect of the present invention further includes copying the monitor information to a radio frequency (RF) enabled memory, wherein the monitor information can be logged utilizing an RF reader device. The RF reader device may be included in an RF gate and/or a hand held device. Computer systems with Radio Frequency Identification (RFID) technology configured in accordance with the present invention enable automated electronic tracking of computer assets such as the monitors as they pass through the RF gate in or out of a portal. Computer systems with the RFID technology also enable the automated electronic tracking of the monitors or other computer assets via the hand held device. In either case, no direct contact with the monitor is needed for the tracking and reporting.
U.S. Pat. No. 7,231,402; titled: “Video switch for analog and digital video signals”; Dickens, et al.; discloses a video switching circuitry for use in a KVM switch and similar devices. Video signal switching circuitry can supply video signals from a one of a plurality of video sources connected to the circuit to a display device connected to the circuit. The high data signaling rate signals are converted into a greater number of lower data signaling rate signals for switching by a bus architecture. Also provided are video display systems in which analogue and digital video signals are switched synchronously to allow them to be displayed on common or separate display devices. Also described is a high-resolution monitor digital video data switching device.
U.S. Pat. No. 7,559,092; titled “Secured KVM switch”; to Anson, et al.; discloses method that supports secure input/output (I/O) communications between an I/O device and a data processing system via a keyboard, video, and mouse (KVM) switch. An example embodiment includes the operations of establishing a first secure communication channel between the KVM switch and the I/O device and establishing a second secure communication channel between the KVM switch and the data processing system. In addition, I/O data may be received at the KVM switch from the I/O device via the first secure communication channel. In response to receipt of the I/O data from the I/O device, the I/O data may be transmitted from the KVM switch to the data processing system via the second secure communication channel. Embodiments may also include support for non-secure channels between the KVM switch and nonsecured I/O devices, nonsecured data processing systems, or both.