Compliant Product - IPGARD Secure KVM Switch/Isolator (CAC Models)
Certificate Date: 2021.07.09CC Certificate Security Target Security Target
Validation Report Number: CCEVS-VR-VID11133-2021
Product Type: Peripheral Switch
Conformance Claim: Protection Profile Compliant
PP Identifier: PP-Module for Analog Audio Output Devices Version 1.0
PP-Module for Keyboard/Mouse Devices Version 1.0
PP-Module for User Authentication Devices Version 1.0
PP-Module for Video/Display Devices Version 1.0
Protection Profile for Peripheral Sharing Device Version 4.0
CC Testing Lab: Leidos Common Criteria Testing Laboratory
IPGARD Secure KVM Switch/Isolator (CAC Models) provide a secure medium to connect one or more input peripherals to one or more computers. The TOE models support the following types of peripheral connectivity:
· Switch: connectivity between a single set of peripheral devices (keyboard/mouse, up to four displays depending on model, audio, USB authentication device) and two or more connected computers.
· Isolator: connectivity between a single set of peripherals (keyboard/mouse, display, audio, USB authentication device) and a single connected computer.
The TOE consists of a family of devices that support different numbers of computers, different numbers of monitors, and different types of display protocols depending on model.
The Target of Evaluation (TOE) is hardware and firmware components of the IPGARD Secure KVM Switch/Isolator (CAC Models). The TOE model numbers, descriptions, and software/firmware versions are listed below:
· SA-DVN-1S-P, 1-Port single-head Secure DVI-I KVM w/audio and CAC, firmware version 4.01.010
· SA-DPN-1S-P, 1-Port single-head Secure DP KVM w/audio and CAC, firmware version 4.01.001
· SA-UHN-1S-P, 1-Port single-head Secure HDMI KVM w/audio and CAC, firmware version 4.01.100
· SA-DPN-2S-P, 2-Port single-head Secure Pro DP KVM w/audio and CAC, firmware version 4.01.001
· SA-DPN-2D-P, 2-Port dual-head Secure Pro DP KVM w/audio and CAC, firmware version 4.01.001
· SA-DVN-2S-P, 2-Port single-head Secure Pro DVI-I KVM w/audio and CAC, firmware version 4.01.010
· SA-DVN-2D-P, 2-Port dual-head Secure Pro DVI-I KVM w/audio and CAC, firmware version 4.01.010
· SA-HDN-2S-P, 2-Port single-head Secure DP/HDMI KVM w/audio and CAC, firmware version 4.01.202
· SA-HDN-2D-P, 2-Port dual-head Secure DP/HDMI KVM w/audio and CAC, firmware version 4.01.202
· SA-DPMST-2S-P, 2-Port single-head DP to 2xHDMI Secure KVM w/audio and CAC, firmware version 4.01.003
· SA-DPMST-2D-P, 2-Port dual-head DP to 2xHDMI Secure KVM w/audio and CAC, firmware version 4.01.003
· SA-DPN-4S-P, 4-Port single-head Secure Pro DP KVM w/audio and CAC, firmware version 4.01.001
· SA-DPN-4D-P, 4-Port dual-head Secure Pro DP KVM w/audio and CAC, firmware version 4.01.001
· SA-DPN-4Q-P, 4-Port quad-head Secure Pro DP KVM w/audio and CAC, firmware version 4.01.001
· SA-DVN-4S-P, 4-Port single-head Secure Pro DVI-I KVM w/audio and CAC, firmware version 4.01.010
· SA-DVN-4D-P, 4-Port dual-head Secure Pro DVI-I KVM w/audio and CAC, firmware version 4.01.010
· SA-DVN-4Q-P, 4-Port quad-head Secure Pro DVI-I KVM w/audio and CAC, firmware version 4.01.010
· SA-HDN-4S-P, 4-Port single-head Secure DP/HDMI KVM w/audio and CAC, firmware version 4.01.202
· SA-HDN-4D-P, 4-Port dual-head Secure DP/HDMI KVM w/audio and CAC, firmware version 4.01.202
· SA-DPH-4Q-P, 4-Port quad-head Secure single-head DVI, single-head HDMI, and dual-head DP KVM w/audio and CAC, firmware version 4.01.111
· SA-DPMST-4S-P, 4-Port single-head DP to 2xHDMI Secure KVM w/audio and CAC, firmware version 4.01.003
· SA-DPMST-4D-P, 4-Port dual-head DP to 2xHDMI Secure KVM w/audio and CAC, firmware version 4.01.003
· SA-DMN-DP-P, 4-Port single-head Secure DP KVM w/audio, CAC and preview screen, firmware version 4.01.004
· SA-DPN-8S-P, 8-Port single-head Secure Pro DP KVM w/audio and CAC, firmware version 4.01.001
· SA-DPN-8D-P, 8-Port dual-head Secure Pro DP KVM w/audio and CAC, firmware version 4.01.001
· SA-DVN-8S-P, 8-Port single-head Secure Pro DVI-I KVM w/ audio and CAC, firmware version 4.01.010
· SA-DVN-8D-P, 8-Port dual-head Secure Pro DVI-I KVM w/ audio and CAC, firmware version 4.01.010
· SA-DVN-16S-P, 16-Port dual-head Secure Pro DVI-I KVM w/ audio and CAC, firmware version 4.01.010
All TOE models are compatible with standard personal/portable computers, servers or thin-clients. Connected computers are assumed to run off-the-shelf general-purpose operating systems such as Windows or Linux. The TOE includes ports for the following interfaces:
· USB keyboard
· USB mouse
· 3.5mm Audio Input (computer ports)
· 3.5mm Audio Ouput (peripheral port)
· USB Smart-card reader, PIV/CAC reader, Token or Biometric reader
Depending on TOE model, two or more of the following interfaces are supported:
· DVI-I input
· DVI-I output
· HDMI 1.4 input
· HDMI 1.4 output
· DisplayPort 1.2 output
· DisplayPort 1.2 output
Security Evaluation Summary
The evaluation was carried out in accordance with the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. These materials were supplemented with the requirements of the NIAP PP-Configuration for Peripheral Sharing Device, Analog Audio Output Devices, Keyboard/Mouse Devices, User Authentication Devices, and Video/Display Devices, version 1.0, all materials referenced therein, as well as any applicable supplemental guidance from NIAP, such as scheme policies, scheme publications, NIAP Technical Decisions, and official NIAP Technical Query responses. The product, when delivered and configured as identified in the IPGard Secure KVM Administration and Security Management Tool Guide (CAC), Version 1.1, February 11, 2021 and the respective User Manuals, satisfies all of the security functional requirements stated in the IPGARD Secure KVM Isolator Security Target (CAC Models) and IPGARD Secure KVM Switch Security Target (CAC Models). The project underwent CCEVS Validator review. The evaluation was completed on July 9, 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE implements the User Data Protection and Data Isolation security function policies of theProtection Profile for Peripheral Sharing Device. This PP defines a peripheral sharing device as “a PSD is an IT product for connecting one or more peripheral devices to one or more computers such that data cannot flow between computers by way of the peripherals or the PSD. Examples of PSDs that can claim compliance to this PP include Keyboard, Video, Mouse (KVM) switches; Keyboard, Mouse (KM) switches; and Isolators.” The TOE includes both KVM switches and isolators in its evaluation boundary.
Aside from behavior specifically relating to port switching, both switches and isolators function in the manner described below.
Keyboard and Mouse
The keyboard and mouse processor is programmed in firmware only to accept 108-key keyboard and 3-button mouse USB devices. Unauthorized peripheral devices will be rejected by the TOE’s keyboard and mouse ports. Wireless keyboard and mouse are special USB composite devices; when this type of device is recognized by the TOE, all front LED’s of the TOE will blink and the user will need to disconnect and reboot the TOE. The only USB host peripheral devices that are allowed by the TOE are keyboard and mouse host emulators. Basic USB 1.1/2.0 HID-class devices are authorized as valid endpoints by the TOE. Note that devices having integrated USB hub and composite devices will only be supported if the connected device has at least one endpoint which is a keyboard or mouse HID class. All other non-keyboard/mouse HID class endpoints will be disabled in this scenario. Both keyboard and mouse TOE ports are interchangeable. It is assumed based on the claimed PP that all standard peripheral devices are untrusted; therefore, the TOE protects the system from attacks that may be executed to exploit such devices and enable unauthorized data flows. By creating uni-directional isolated keyboard and mouse TOE channels that are tied to the two USB 1.1/2.0 ports on the TOE, unauthorized data flows are eliminated.
TOE External Interfaces
The TOE only supports AC/DC power, USB keyboard and mouse, user authentication devices, and video, which includes one or more of the following depending on TOE model:
· DVI-I in/DVI-I out
· DP 1.2 in/DP 1.2 out
· HDMI 1.4 in/HDMI 1.4 out
· HDMI 1.4 or DP 1.2 in/HDMI 1.4 or DP 1.2 out (interchangeable DP/HDMI ports)
· DP 1.2 in/HDMI 1.4 out
The user authentication device filter is set by default to allow only standard smart-card reader USB 1.1/2.0 token or biometric reader but when user or administrator registers new CAC devices, the TOE will start to support these registered devices. All other peripheral types are rejected, either physically (because the TOE does not support the required physical interface) or logically (because the TOE does not recognize the connected peripheral as authorized).
The use of microphones as input devices is prohibited. All TOE devices support analog audio out switching and all TOE devices will prevent microphone devices. These microphones are stopped through the use of uni-directional audio diodes on both left and right stereo channels (forces data flow from only the computer to the connected audio device) and the LM4880 Boomer analog output amplifier which enforces uni-directional audio data flow. All audio signals are filtered in accordance with the Audio Filtration Specifications table defined in the PP-Module for Analog Audio Output.
Each connected computer has its own TOE isolated channel with its own Extended Display Identification Data (EDID) emulator and video input port. Data flows from the input video source through its respective EDID emulator and out of the monitor display port. Each video input interface is isolated from one another using different EDID ICs, power planes, ground planes, and electronic components in each independent channel. Depending on the specific TOE model, the following numbers and types of video inputs are supported:
· 1x DVI-I in to DVI-I out
· 2x DVI-I in to DVI-I out
· 4x DVI-I in to DVI-I out
· 1x DisplayPort in to DisplayPort out
· 2x DisplayPort in to DisplayPort out
· 4x DisplayPort in to DisplayPort out
· 1x HDMI in to HDMI out
· 1x DisplayPort or HDMI in to DisplayPort or HDMI out (interchangeable port)
· 2x DisplayPort or HDMI in to DisplayPort or HDMI out (interchangeable port)
· 1x DisplayPort in to 2x HDMI out (DisplayPort Multi-Stream Transport)
· 2x DisplayPort in to 4x HDMI out (DisplayPort Multi-Stream Transport)
· 1x DisplayPort in to 2x DisplayPort out (one normal peripheral monitor and one ‘preview screen’ multi-viewer monitor)
· “Combo” (4x total supported displays with 2x DisplayPort in to 2x DisplayPort out, 1x DVI-I in to 1x DVI-I out, and 1x HDMI in to 1x HDMI out)
TOE Administration and Security Management
Each TOE is equipped with an Administration and Security Management Tool that can be initiated by running an executable file on a computer with keyboard connected to the same computer via the TOE. The tool requires administrator or a user to be successfully identified and authenticated by the TOE in order to gain access to any supported feature. Some features are restricted to the Administrator role only, while other features can be performed by either the Administrator or User role.
User Authentication Device Subsystem
The TOE is shipped with default device filtration for the CAC port. The filter is set at default to allow only standard smart-card reader, PIV/CAC USB 1.1/2.0 token, or biometric reader. All devices must be bus powered only (no external power source allowed). The TOE default settings accept standard smart-card reader, PIV/CAC USB 1.1/2.0 token or biometric reader. Authenticated users and administrator can register (allowlist) individual USB devices. All other USB devices are prohibited (denylisted).
User Control and Monitoring Security
User monitoring and control of the TOE is performed through the TOE front panel push buttons. These buttons are tied to the TOE system controller functionality. The TOE chassis has port selection LEDs that correspond to the push buttons. When a given computer is selected, its corresponding port selection LED is illuminated (the other channel LEDs remain off). During operation, all front panel LED indications cannot be turned off or dimmed by the user in any way, including after Restore Factory Default (reset). There are two exceptions to this:
· Isolator models do not have a switching capability because they only support a single connected computer, and there is therefore no mechanism to switch computers or indicate which computer is selected
· The TOE ‘preview screen’ model includes a secondary set of push-button controls for controlling the display layout and active computers on the secondary multi-viewer display window. This window uses on-screen display to indicate the active video feed for each region of the display (e.g. if this monitor is configured for picture-in-picture viewing, both the inner and outer picture are labeled with the video feed they each represent)
The USB authentication device interface may be independently enabled or disabled using push-button controls. Whether or not the port selection button is illuminated indicates the status of this interface.
All features of the TOE front panel are tested during power up self-testing. From power up until the termination of the TOE self-test, no channel is selected.
In order to mitigate potential tampering and replacement, the TOE is devised to ensure that any replacement may be detected, any physical modification is evident, and any logical modification may be prevented. The TOE is designed so that access to the TOE firmware, software, or its memory via its accessible ports is prevented. The TOE is designed to prevent any physical or logical access its internal memory. There is a mechanical switch on the inside of the TOE that triggers the anti-tampering state when the enclosure is manually opened. Once the anti-tampering state is triggered, the TOE is permanently disabled.
Self-Testing and Security Audit
The TOE has a self-testing function that executes immediately after power is supplied including Restore Factory Default (reset) and power reset. Self-testing must complete successfully before normal operational access is granted to the TSF. The self-test function includes the following activities:
· Basic integrity test of the TOE hardware (no front panel push buttons are jammed).
· Basic integrity test of the TOE firmware.
· Integrity test of the anti-tampering system and control function.
· Test the data traffic isolation between ports.
The TOE has a non-volatile memory event log which records all abnormal security events that occur within TOE operation. This log can be accessed by the identified and authorized administrator and dumped into a .txt file using a connected computer and the Administration and Security Management tool that is provided by the TOE vendor.