KVM Switch deployment Best Practices

KVM Switch are widely used in corporate to support employee switch between systems/servers connected to a different network and it can be accessed by single Keyboard, Video, and Mouse. By using KVM switch the corporate can significantly reduce space and reduce energy cost by using a single thin client which in background connects to multiple servers. There are different types of KVM Switch and deployment model available they are Local KVM Switch, Remote KVM switch, and IP-based KVM switch. As the KVM switch being used to connect systems/servers from multiple networks and can also be managed remotely, it becomes as one of the targets for the hacker to steal the user's keystroke, video, and audio.
There are attacks being held in UK's largest bank by using the KVM to steal 1.2 million euros. Attackers used to target the KVM installed in the bank and try to attach a 3G mobile dongle to communicate remotely, by which they can interact the branch computers and transfer money to different accounts.
The following listed key items at least be reviewed before the deployment.
  1. KVM switch must be tamper resistant. It needs to be secured with tamper-proof seals and screws (One-Way screw or two-way screw with tamper resistant). Tamperproof can be used battery-backed which can make KVM inoperable when the chassis is opened. The tamperproof device prevents inserting any key logger to capture keystroke from a keyboard, which could be a potential risk of capturing lot of highly confidential data like password debit/credit card details, account number, phone number, DOB, etc.
  2. KVM Switch must use dedicated EDID (Extended Display Identification Data) and DDC (Display Data Channel) to avoid Covert attack channel.
  3.  Microphone in KVM Switch must be disabled or KVM without the microphone to be selected, which could prevent the computer recordings (application, cross talks etc...) and human voice recordings (social engineering).
  4. KVM Switch must not be connected to the internet for any firmware updates.
  5. The data flow from KVM Switch to the computer must be unidirectional so that no data can be sent back to keyboard and mouse channels.
  6. KVM Switch must be operated physically to switch between computers, where no hotkey and mouse switching allowed.
  7. KVM Switch circuitry, keyboard, and mouse must be powered down between each switch between computers, which will clear all volatile memory of the previous connection.
  8. KVM Switch's USB ports must only be used for keyboard and mouse, where using USB thumb drive must be restricted from the desktop/server operating systems controls.
  9. Try to select the branded product from a standard vendor.
Authored by Gopal Pandurengan
TCS Enterprise Security and Risk Management
Rate this article: 
Average: 2.7 (6 votes)
Article category: