Threat | Solution |
|
|
Data being sent to ports | Channel switching is controlled by the front |
by means of faulty or | panel buttons only with all keyboard hotkey |
subverted keyboards or | or mouse switching capabilities removed |
mice causing the channel | from the design. |
to switch and sending |
|
data in turn to each port. |
|
|
|
Data transfer by means of | USB ports support keyboard and mouse |
common storage. | (and card reader for |
| connections only. The product does |
| not enable a USB memory stick or disk |
| drive to be shared between computers. |
| Unidirectional signalling protects against |
| data transfer across the switch. |
|
|
Timing analysis attacks. | If a connection exists between a computer |
| and a shared microprocessor system, it |
| is potentially possible to determine what |
| may be happening on the micro by timing |
| the responses to repeated requests that |
| the micro must service. For example, if |
| a high data bit takes longer to transmit |
| through the system than a low bit it may |
| be possible to detect the pattern of data |
| flowing between other ports by attempting |
| to time the responses to otherwise normal |
| requests. In the ServSwitch Secure, each |
| port has a dedicated processor that only |
| has input signals from the rest of the |
| system. These input signals are only active |
| when the port is selected. Consequently a |
| timing analysis attack from one computer |
| would yield no information about data |
| flowing to another computer. |
|
|
Threat | Solution |
|
|
Forced malfunctions due | It is potentially possible to create forced |
to overloaded signaling. | malfunctions by constantly and quickly |
| sending a stream of valid requests (such as |
| the request to update the keyboard lights). |
| A well known example of an undesirable |
| KVM malfunction is a “crazy mouse” |
| which was quite common with early KVM |
| switches and was caused by data loss on |
| PS/2 systems with the result that the mouse |
| darted around the screen randomly clicking |
| and opening windows. The unidirectional |
| design of the Secure Switch ensures that |
| the influence of signalling on one port |
| cannot flow past the data diodes. This |
| means that overload signalling on one port |
| will not affect the operation of another |
| port. USB signalling is not susceptible to the |
| failure mechanism that caused the crazy |
| mouse on PS/2 systems. |
|
|
The user selects the wrong | Only one simple method of selecting |
port. | computers is provided. The selected port |
| is clearly and unambiguously indicated on |
| the front panel by means of colored lights |
| adjacent to each key switch. For high levels |
| of security, the screens of high and low |
| security computers should be arranged to |
| look visibly different in general appearance. |
|
|
Signalling by means of | Each port is independently powered by its |
shorting the power supply | USB port. Shorting the power supply on |
or loading the power | one port will not cause the power on other |
supply. | ports to be switched off. |
|
|
Tampering with the | The switch is designed to enable tamper |
switch. | proof seals to be fitted over the counter- |
| sunk screws. |
|
|
®
16
