background image

Security Target 

Version 1.1

 

2022-03-08 

35 

when a non-qualified monitor is connected. The Num Lock LED, Caps Lock LED, and Scroll Lock LED on the 
keyboard are disabled. The Port LEDs indicate Port selection/connection status. All LEDs are located on 
the RPS and on the front panel of the main KVM except the Video LED(s) that are located on the back 
panel. The TOE does not allow any other user data transmission to or from external entities.  

Non-HID functions of a composite USB device; internal Hub; docking protocols; and analog microphone 
or audio line inputs are not supported by the TOE. During KVM operation, non-standard keyboards with 
integrated USB hubs and/or other USB-integrated devices may not be fully supported due to the strict 
security standards and policy for the IOGEAR Secure KVM Switch. If supported, only basic (HID) keyboard 
operations will function.  

6.2.6

 

FDP_PUD_EXT.1 

 Powering Unauthorized Devices 

The TOE does not supply power to any device connected to the analog audio output interface.  

6.2.7

 

FDP_RIP.1/KM 

 Residual Information Protection (Keyboard Data), FDP_RIP_EXT.1 

 Residual Information Protection and FDP_RIP_EXT.2 

 Purge of Residual Information 

No user data is written to TOE 

non‐volatile memory or storage

. User keyboard data is purged and not 

available to the next connected TOE computer interface when the TOE is switched to a different computer.  
The data input by the authorized keyboard/mouse will be kept in the console authorized keyboard/mouse 
buffer (in the microcontroller). Once the TOE is power cycled, reset, or port switching is detected, the data 
in  the  console  authorized keyboard/mouse  buffer will  be  deleted  immediately,  and  not  processed  for 
emulation. Please refer to the Proprietary Isolation Document for more detail. 

The TOE provides two functions to delete TOE stored configuration and settings.  

After logging in, authorized administrators can use the Reset to Factory Default management function 
(not to be confused with the front panel reset button).  When a successfully authenticated authorized 
Administrator performs Reset to Factory Default, all settings previously configured by the Administrator 
(such  as  USB  device  blacklist)  will  be  cleaned  and  reset  to  factory  default  settings.  Once  the  Reset  to 
Factory Default function has been completed, the Secure KVM will terminate the Administrator Logon 
mode, purge keyboard/mouse buffer, and power cycle the Secure KVM automatically.  After a successful 
self-test, the KVM port focus will be switched to Port 1. Audit logs are retained and a log is generated for 
Reset to Factory Default. 

The TOE also provides non-administrative users a front panel Reset button allowing the user to delete 
TOE  stored configuration and settings. Performing the  reset  function by pressing  the  Reset  button for 
more  than  5  seconds,  purges  the  Keyboard/Mouse  buffer;  and  the  switch  performs  a  self-test  and 
switches to Port 1. CDF configured by Administrator, logs, Administrative tasks, or other secure functions 
are not affected by the front panel Reset function.  

The Letter of Volatility is provided in Appendix A identifies the TOE components that have non-volatile 
memory and provides details of the memory and its use. 

Содержание CS1222TAA4

Страница 1: ...M Switch Series Non CAC Models Security Target Version 1 1 2022 03 08 Prepared for 15365 Barranca Pkwy Irvine CA 92618 Prepared by Common Criteria Testing Laboratory 6841 Benjamin Franklin Drive Columbia Maryland 21046 ...

Страница 2: ...sion Author Modifications 0 1 Leidos Initial Version 0 2 Leidos Revisions based on vendor and evaluation reviews 0 3 Leidos Updates for validator check in comments 1 0 Leidos Minor updates for evaluator comments 1 1 Leidos Updates for validator check out comments ...

Страница 3: ...ectives 16 4 1 Security Objectives for the Operational Environment 16 5 IT Security Requirements 17 5 1 Extended Requirements 17 5 2 TOE Security Functional Requirements PSD MOD_AO_V1 0 MOD_KM_V1 0 18 5 2 1 Security Audit FAU 19 5 2 2 User Data Protection FDP 20 5 2 3 Identification and Authentication FIA 24 5 2 4 Security Management FMT 25 5 2 5 Protection of the TSF FPT 25 5 2 6 TOE Access FTA 2...

Страница 4: ...EXT 2 PSD Switching Methods FDP_SWI_EXT 3 Tied Switching 36 6 2 9 TOE Video Security Function 36 6 3 Identification and Authentication FIA_UAU 2 FIA_UID 2 38 6 4 Security Management 38 6 4 1 FMT_MOF 1 Management of Security Functions Behavior 38 6 4 2 FMT_SMF 1 Specification of Management Functions 38 6 4 3 FMT_SMR 1 Security Roles 39 6 5 Protection of the TSF 39 6 5 1 FPT_FLS_EXT 1 Failure with P...

Страница 5: ...ecurity Functional Components 18 Table 8 Audio Filtration Specifications 20 Table 9 TOE Security Functional Components DP Models 27 Table 10 TOE Security Functional Components H Models 28 Table 11 TOE Security Functional Components D Models 29 Table 12 Assurance Components 30 Table 13 Supported protocols by port 34 Table 14 DP Models 36 Table 15 H Models 37 Table 16 D Models 37 Table 17 SFR Protec...

Страница 6: ...1 ST Date 2022 03 08 Target of Evaluation TOE Identification IOGEAR Secure KVM Switch Series Non CAC Models TOE Versions The following table identifies the model numbers per configuration The firmware version for all models is v1 1 101 Table 1 IOGEAR Secure KVM Switch TOE Models Configuration 2 Port 4 Port 8 Port DisplayPort Single Head GCS1412TAA4 GCS1414TAA4 GCS1418TAA4 Dual Head GCS1422TAA4 GCS...

Страница 7: ...alog Audio Output Devices Version 1 0 19 July 2019 MOD_AO_V1 0 PP Module for Keyboard Mouse Devices Version 1 0 19 July 2019 MOD_KM_V1 0 o including the following optional and selection based SFRs FDP_FIL_EXT 1 KM FDP_RIP 1 KM and FDP_SWI_EXT 3 PP Module for Video Display Devices Version 1 0 19 July 2019 MOD_VI_V1 0 o including the following selection based SFRs FDP_CDS_EXT 1 FDP_IPC_EXT 1 FDP_SPR...

Страница 8: ...n is identified with a slash and an identifier e g KM Additional iterations made by the ST author are defined with a reference in parentheses to the specific TOE models they apply to e g DP indicates the SFR only applies to DisplayPort models Though technically not an iteration FDP_IPC_EXT 1 also uses this convention to clarify that this requirement only applies to certain models Extended SFRs are...

Страница 9: ...ity of a User to receive an indicator of the current Active Interface Non Selected Computer A Connected Computer that has no Active Interfaces with the PSD Peripheral Interface The PSD s physical receptacle or port for connecting to a Peripheral Device Peripheral Peripheral Device A Device with access that can be Shared or Filtered by a PSD Protection Profile PP An implementation independent set o...

Страница 10: ...o authenticate to a computer e g smart card reader biometric authentication device proximity card reader User Data Information that the User inputs to the Connected Computer or is output to the User from the Connected Computer and including user authentication and credential information 1 3 2 Acronyms Table 3 Acronyms Acronym Definition ARC Audio Return Channel AUX Display Port Auxiliary Channel C...

Страница 11: ...Security Target Version 1 1 2022 03 08 6 Acronym Definition PC Personal Computer PSD Peripheral Sharing Device RPS Remote Port Selector SFP Security Function Policy USB Universal Serial Bus ...

Страница 12: ... the connected computers is active such that the peripherals connected to the console can be used to interact with the selected computer The TOE s console ports support USB keyboard and mouse analog audio out speakers and depending on model DisplayPort HDMI or DVI I display The TOE s computer ports support USB keyboard and mouse analog audio and depending on model DisplayPort HDMI or DVI I display...

Страница 13: ...nal to HDMI The HDMI signal inside the KVM will be converted again to DisplayPort signal for output to the connected video display s and the AUX channel is monitored and converted to EDID The Secure KVM Switch products also support audio output connections from the computers to a connected audio output device Only speaker connections are supported and the use of an analog microphone or line in aud...

Страница 14: ...f peripheral components Each peripheral has its own dedicated data path USB keyboard and mouse peripherals are filtered and emulated DisplayPort video from the selected computer is converted internally to HDMI then back to DisplayPort for communication with the connected video display and the AUX channel is monitored and converted to EDID The Secure KVM Switch products are designed to enforce the ...

Страница 15: ...ility of data leakage from a user s peripheral output device to the input device ensures that no unauthorized data flows from the monitor to a connected computer and unidirectional buffers ensure that the audio data can travel only from the selected computer to the audio device There is no possibility of data leakage between computers or from a peripheral device connected to a console port to a no...

Страница 16: ...heir own cable sets as long as the protocols are compatible but the vendor KVM cable sets are recommended The TOE was tested using the cable sets mentioned above and the following adapters G2LU3CHD02 USB C to HDMI cable G2LU3CDP12 USB C to DP cable GDPHD4KA Active DP to HDMI adapter GDPDVI4KA Active DP to DVI adapter While the cable sets and adapters were supplied they were not included in the eva...

Страница 17: ...r a Class A digital device pursuant to Part 15 of the Federal Communications Commission rules If not installed and used in accordance with the guidance instructions the device may cause harmful interference to radio communications This evaluation did not test for RFI leakage of information 2 4 Logical Boundary This section summarizes the security functions provided by the TOE Security Audit User D...

Страница 18: ...as USB device whitelist blacklist Once the Reset to Factory Default function has been completed the Secure KVM will terminate the Administrator Logon mode purge keyboard mouse buffer and power cycle the Secure KVM automatically 2 4 3 Identification and Authentication The TOE provides an identification and authentication function for the administrative user to perform administrative functions such ...

Страница 19: ...r all devices in the evaluated configuration Guidance Documentation IOGEAR 2 4 8 Port USB DVI HDMI DisplayPort Single Dual View Secure KVM Switch Administrator s Guide Version 1 03 2021 5 5 IOGEAR Single Dual View Secure KVM Switch User Manual 2 4 8 Port USB DVI HDMI DisplayPort Version 1 03 2021 5 5 IOGEAR 2 4 8 Port USB DVI HDMI DisplayPort Single Dual View Secure KVM Switch Admin Log Audit Code...

Страница 20: ...is expected to address and assumptions about the operational environment of the TOE In general the PSD has presented a Security Problem Definition appropriate for peripheral sharing devices The IOGEAR Secure KVM Switch Series supports KVM USB Keyboard Mouse analog audio out DisplayPort DVI I and HDMI video peripheral switch functionality by combining a 2 4 8 port KVM switch and an audio output por...

Страница 21: ...crophones are not plugged into the TOE audio output interfaces OE NO_SPECIAL_ANALOG_CAPABILITIES from MOD_VI_V1 0 The operational environment will not have special analog data collection cards or peripherals such as analog to digital interface high performance audio interface or a component with digital signal processing or analog video capture functions OE NO_TEMPEST from PSD The operational envi...

Страница 22: ...nd modules define the following extended SFRs and since they are not redefined in this ST the PSD and associated modules should be consulted for more information in regard to those CC extensions FDP_AFL_EXT 1 Audio Filtration FDP_APC_EXT 1 Active PSD Connections FDP_CDS_EXT 1 Connected Displays Supported FDP_FIL_EXT 1 KM Device Filtering Keyboard Mouse FDP_IPC_EXT 1 DP Internal Protocol Conversion...

Страница 23: ...nt Class Requirement Component FAU Security Audit FAU_GEN 1 Audit Data Generation FDP User Data Protection FDP_AFL_EXT 1 Audio Filtration FDP_APC_EXT 1 AO Active PSD Connections Audio Output FDP_APC_EXT 1 KM Active PSD Connections Keyboard Mouse FDP_APC_EXT 1 VI Active PSD Connections Video Display FDP_CDS_EXT 1 Connected Displays Supported FDP_FIL_EXT 1 KM Device Filtering Keyboard Mouse FDP_PDC_...

Страница 24: ...vation of Secure State FPT_NTA_EXT 1 No Access to TOE FPT_PHP 1 Passive Detection of Physical Attack FPT_PHP 3 Resistance to Physical Attack FPT_STM 1 Reliable Time Stamps FPT_TST 1 TSF Testing FPT_TST_EXT 1 TSF Testing FTA TOE Access FTA_CIN_EXT 1 Continuous Indications 5 2 1 Security Audit FAU 5 2 1 1 Audit Data Generation FAU_GEN 1 FAU_GEN 1 1 The TSF shall be able to generate an audit record o...

Страница 25: ... 8 22 96 mV 19 43 0 14 15 mV 20 46 0 10 02 mV 30 71 4 0 53 mV 40 71 4 0 53 mV 50 71 4 0 53 mV 60 71 4 0 53 mV 5 2 2 2 Active PSD Connections Audio Output FDP_APC_EXT 1 AO FDP_APC_EXT 1 1 AO The TSF shall route user data only from the interfaces selected by the user FDP_APC_EXT 1 2 AO The TSF shall ensure that no data or electrical signals flow between connected computers whether the TOE is powered...

Страница 26: ...a transits the TOE when the TOE is powered off FDP_APC_EXT 1 4 VI The TSF shall that no data transits the TOE when the TOE is in a failure state Application Note This SFR is originally defined in the Base PP but is refined and iterated to apply to the video interface per section 5 1 2 of the Video Display PP Module 5 2 2 5 Connected Displays Supported FDP_CDS_EXT 1 FDP_CDS_EXT 1 1 The TSF shall su...

Страница 27: ...TSF shall allow connections with authorized devices presenting authorized interface protocols as defined in Appendix E of the AO Module and authorized devices presenting authorized interface protocols as defined in the PP Module for Keyboard Mouse Devices authorized devices presenting authorized interface protocols as defined in the PP Module for Video Display Devices upon TOE power up and upon co...

Страница 28: ...n the PP Module for Audio Output Devices authorized devices presenting authorized interface protocols as defined in the PP Module for Keyboard Mouse Devices upon TOE power up and upon connection of a peripheral device to a powered on TOE 5 2 2 11 Authorized Connection Protocols Keyboard Mouse FDP_PDC_EXT 3 KM FDP_PDC_EXT 3 1 KM The TSF shall have interfaces for the USB keyboard USB mouse protocols...

Страница 29: ...mouse peripheral devices are always switched together to the same connected computer 5 2 2 19 Unidirectional Data Flow Audio Output FDP_UDF_EXT 1 AO FDP_UDF_EXT 1 1 AO The TSF shall ensure analog audio output data transits the TOE unidirectionally from the TOE analog audio output computer interface to the TOE analog audio output peripheral interface 5 2 2 20 Unidirectional Data Flow Keyboard Mouse...

Страница 30: ...The TSF shall maintain the roles administrators FMT_SMR 1 2 The TSF shall be able to associate users with roles 5 2 5 Protection of the TSF FPT 5 2 5 1 Failure with Preservation of Secure State FPT_FLS_EXT 1 FPT_FLS_EXT 1 1 The TSF shall preserve a secure state when the following types of failures occur failure of the power on self test and failure of the anti tamper function 5 2 5 2 No Access to ...

Страница 31: ...grity of TSF 5 2 5 7 TSF Testing FPT_TST_EXT 1 FPT_TST_EXT 1 1 The TSF shall respond to a self test failure by providing users with a visual indication of failure and by shutdown of normal TSF functions 5 2 6 TOE Access FTA 5 2 6 1 Continuous Indications FTA_CIN_EXT 1 FTA_CIN_EXT 1 1 The TSF shall display a visible indication of the selected computers at all times when the TOE is powered FTA_CIN_E...

Страница 32: ...e satisfied by DP Models which include the following GCS1412TAA4 GCS1414TAA4 GCS1418TAA4 GCS1422TAA4 GCS1424TAA4 and GCS1428TAA4 Table 9 TOE Security Functional Components DP Models Requirement Class Requirement Component FDP User Data Protection FDP_IPC_EXT 1 DP Internal Protocol Conversion FDP_PDC_EXT 3 VI DP Authorized Connection Protocols DP Models FDP_SPR_EXT 1 DP DP Sub Protocol Rules Displa...

Страница 33: ...5 4 TOE Security Functional Requirements H Models The following table identifies the MOD_VI_V1 0 SFRs that are satisfied by H models which includes the following GCS1312TAA4 GCS1314TAA4 GCS1322TAA4 and GCS1324TAA4 Table 10 TOE Security Functional Components H Models Requirement Class Requirement Component FDP User Data Protection FDP_PDC_EXT 3 VI H Authorized Connection Protocols H Models FDP_SPR_...

Страница 34: ...are satisfied by D models which includes the following GCS1212TAA4 GCS1214TAA4 GCS1218TAA4 GCS1222TAA4 GCS1224TAA4 and GCS1228TAA4 Table 11 TOE Security Functional Components D Models Requirement Class Requirement Component FDP User Data Protection FDP_PDC_EXT 3 VI D Authorized Connection Protocols D Models FDP_SPR_EXT 1 DVI I D Sub Protocol Rules DVI I Protocol D Models 5 5 1 User Data Protection...

Страница 35: ...he TOE are included by reference from the PSD Table 12 Assurance Components Requirement Class Requirement Component Security Target ASE Conformance Claims ASE_CCL 1 Extended Components Definition ASE_ECD 1 ST Introduction ASE_INT 1 Security Objectives ASE_OBJ 2 Derived Security Requirements ASE_REQ 2 Security Problem Definition ASE_SPD 1 TOE Summary Specification ASE_TSS 1 Development ADV Basic Fu...

Страница 36: ...in the text editor by entering the command LIST The event logs are divided into two types critical and non critical The Log Data Area displays the critical and non critical Log data Each logged event is recorded with Date Time a code that indicates the type of event and the outcome success or failure of the event The critical audit events recorded and identified in the code include administrator l...

Страница 37: ...for details on TOE computer peripherals and connected computer port interfaces for each specific TOE model The TOE ensures that any previous information content of a resource is made unavailable upon the deallocation of the resource from the TOE computer interfaces immediately after a TOE switch to another selected computer and on start up of the TOE The Appendix A Letter of Volatility in Appendix...

Страница 38: ...A4 each support two connected displays at a time 6 2 4 FDP_FIL_EXT 1 KM Device Filtering Keyboard Mouse FDP_PDC_EXT 3 KM Authorized Connection Protocols Keyboard Mouse The TOE supports authorized USB keyboard and mouse peripherals as defined in Table 13 Supported protocols by port below Keyboard mouse peripherals are filtered and emulated Device filtering for keyboard mouse interfaces is configura...

Страница 39: ...mbedded in DisplayPort Video will be kept with HDMI video DVI Secure KVM Models do not have the ability to embed digital audio into digital video data transmission The TOE does not allow any other user data transmission to or from any other external entities including wireless devices The TOE only recognizes those peripherals with an authorized interface type as described below and all other perip...

Страница 40: ...crocontroller Once the TOE is power cycled reset or port switching is detected the data in the console authorized keyboard mouse buffer will be deleted immediately and not processed for emulation Please refer to the Proprietary Isolation Document for more detail The TOE provides two functions to delete TOE stored configuration and settings After logging in authorized administrators can use the Res...

Страница 41: ...ary channel AUX path blocks information flows other than the minimal set required to establish the video link Unauthorized DisplayPort transactions are prevented by disassembling the DisplayPort AUX channel transactions to block all unauthorized transactions The TOE video function filters the AUX channel by converting it to EDID only DisplayPort video is converted into HDMI video stream Monitor s ...

Страница 42: ... read the connected display EDID information EDID from display to computer and HPD from display to computer are allowed for the HDMI interface The TOE blocks ARC CEC EDID from computer to display HDCP HEAC HEC and MCCS video display sub protocols The H Models satisfy the following SFRs FDP_PDC_EXT 3 VI H Authorized Connection Protocols Video Output H Model FDP_SPR_EXT 1 HDMI H Sub Protocol Rules H...

Страница 43: ...in name parameter for the login function Customers are provided with a default password The administrator guide states that the administrator must change the password after the first successful logon The password is case sensitive and new passwords must contain at least 1 lower case letter at least 1 upper case letter at least 1 numeric character and at least 1 special character The supported spec...

Страница 44: ...s to the TOE firmware software or its memory via its accessible ports is prevented No access is available to modify the TOE or its memory To mitigate the risk that a potential attacker will tamper with a TOE and then reprogram it with altered functionality the TOE software is contained in one time programmable read only memory permanently attached non socketed to a circuit assembly The TOE s opera...

Страница 45: ...ut RPS connected will be permanently disabled and all the front panel LEDs except the Power LED will flash continuously A mechanical intrusion is detected by a pressure switch that trips when the enclosure is opened If a mechanical intrusion is detected by the RPS connected with the switch and aligned this will permanently disable both the RPS itself and the switch and all LEDs on RPS and the fron...

Страница 46: ...ailure the TOE does not shut down The anti tampering self tests include the correct operation and tampering of the internal KVM and RPS batteries A KVM detecting tampering during normal operation will trigger the KVM inoperable A connected and aligned RPS detecting tampering including damaged or exhausted battery during normal operation will trigger the RPS inoperable and also directly trigger the...

Страница 47: ...TOE by triggering a self test e g by powering on or rebooting the TOE and examining the front panel LEDs for self test failures as identified above The TOE performs self tests as described above to demonstrate the correct operation of active anti tamper functionality see also 6 5 3 FPT_PHP 6 6 TOE Access The TOE display a continuous visual indication of the computer to which the user is currently ...

Страница 48: ...Security Target Version 1 1 2022 03 08 43 The TOE has a reset button that resets the switch to the default settings when pressed The switch is then powered up and behaves as described above ...

Страница 49: ...ce As explained in Section 4 Security Objectives the Security Objectives of the PSD and modules have been included by reference in this ST The following table identifies all the Security Functional Requirements SFRs in this ST drawn from the PSD The only operations performed on the SFRs drawn from the PSD are assignment and selection operations Table 17 identifies the SFRs that are satisfied by th...

Страница 50: ... MOD_VI_V1 0 FDP_SWI_EXT 1 PSD Switching PSD FDP_SWI_EXT 2 PSD Switching Methods PSD FDP_SWI_EXT 3 Tied Switching MOD_KM_V1 0 FDP_UDF_EXT 1 AO Unidirectional Data Flow Audio Output MOD_AO_V1 0 FDP_UDF_EXT 1 KM Unidirectional Data Flow Keyboard Mouse MOD_KM_V1 0 FDP_UDF_EXT 1 VI Unidirectional Data Flow Video Output MOD_VI_V1 0 FIA Identification and Authentication FIA_UAU 2 User Authentication Bef...

Страница 51: ...fied by aspects of the corresponding security function The set of security functions work together to satisfy all of the security functions and assurance requirements Furthermore all of the security functions are necessary in order for the TSF to provide the required security functionality This Section in conjunction with Section 6 the TOE Summary Specification provides evidence that the security ...

Страница 52: ...XT 3 VI H X FDP_PDC_EXT 3 VI D X FDP_PUD_EXT 1 X FDP_RIP 1 KM X FDP_RIP_EXT 1 X FDP_RIP_EXT 2 X FDP_SPR_EXT 1 DP DP X FDP_SPR_EXT 1 DVI I D X FDP_SPR_EXT 1 HDMI H X FDP_SWI_EXT 1 X FDP_SWI_EXT 2 X FDP_UDF_EXT 1 AO X FDP_UDF_EXT 1 KM X FDP_UDF_EXT 1 VI X FIA_UAU 2 X FIA_UID 2 X FMT_SMF 1 X FMT_SMR 1 X FPT_FLS_EXT 1 X FPT_NTA_EXT 1 X FPT_PHP 1 X FPT_PHP 3 X FPT_STM 1 X FPT_TST 1 X FPT_TST_EXT 1 X FT...

Страница 53: ...data 2 Host Controller Device Emulators ATEN SICG8022A Embedded RAM 1 Undisclosed Volatile May contain user data 3 System EEPROM ATMEL AT24C512 EEPROM 2 512K bits Non volatile No user data 4 System Flash EON EN29LV040A Flash 3 512K Bytes Non volatile No user data 5 EDID Emulator ROHM BR24G02 3 EEPROM 4 256 Bytes Non volatile No user data 6 DP Video Controller Flash MXIC MX25L4006E Flash 5 4 Mbits ...

Страница 54: ...ctory Default KVM reset reboot or power cycle 3 The Flash does not contain user data Firmware code is stored in the Flash and cannot be updated or rewritten The firmware code remains unchanged after a Reset to Factory Default KVM reset reboot or power cycle 4 The EDID ROM does not contain user data It is for PC Read EDID ROM The EDID data will be cleared after a KVM reset reboot or power cycle 5 D...

Отзывы: