An ST principally defines: A security problem expressed as a set of assumptions about the security aspects of the environment; a list of threats which the product is intended to counter; and any known rules with which the product must comply (in Chapter 3, Security Problem Definition). A set of security objectives and a set of security requirements to address that problem (in Chapters 4 and 5, Security Objectives and IT Security Requirements, respectively). The IT security functions provided by the Target of Evaluation (TOE) that meet the set of requirements (in Chapter 6, TOE Summary Specification). The structure and content of this ST complies with the requirements specified in the Common Criteria (CC), Part 1, Annex A, and Part 3, Chapter 6. 1.1 ST and TOE Identification This section provides information needed to identify and control this ST and its Target of Evaluation (TOE), the TOE Name. This ST targets an Evaluation Assurance Level (EAL) 4 (augmented with ALC_FLR.3) level of assurance. ST Title: Belkin Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM Security Target EAL 4 augmented ALC_FLR.3 Security Target ST Evaluation: EWA, Canada Revision Number: 1.01 ST Publish Date: July 16, 2012 ST Authors: Carlos Del Toro, Belkin International TOE Identification: Belkin Secure 2‐port DVI‐I KVM Switch w/audio and CAC ‐ Model F1DN102C, Ver. 111111 Or Belkin Secure 2‐port DVI‐D KVM Switch w/audio ‐ Model F1DN102F, Ver. 111111 Or Belkin Secure 4‐port DVI‐I KVM Switch w/audio – Model F1DN104B, Ver. 111111 Page | 5 ...
Validated Protection Profile – NIAP Peripheral Sharing Switch for Human Interface Devices Protection Profile, Version 2.1, September 7, 2010 1.2 TOE Overview The Belkin Secure KVM Switch allows the secure sharing of a single set of peripheral components such as keyboard, Video Display and Mouse/Pointing devices among multiple computers through standard USB, and DVI interfaces. Page | 6 ...
The Belkin Secure KVM line products are available in 2, 4, 8 or 16 port models with single or dual‐head (displays). Products include traditional KVM switching devices, desktop controller unit (DCU), direct display connection products (KM), Windowing KVM to allow secure ...
It should be noted that modern Secure KVM devices do not allow any electrical interface peripheral sharing in order to prevent certain attacks, and therefore they are no longer simple switching devices. Figure 1 – Typical example of TOE installation 1.3.2 Physical Scope and Boundary The TOE is a peripheral sharing switch. The physical boundary of the TOE consists of (refer to figure 1 below): One BELKIN Secure KVM Switch, KM switch or Windowing KVM; The firmware embedded inside the TOE that is permanently programmed into the TOE multiple microcontrollers; Page | 8 ...
Page 9
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 The TOE power supply that is shipped with the product; The TOE COMPUTER interface cables that are shipped with the product; The optional Desktop Controller Unit (DCU) accessory; and The accompanying User Guidance. Updated User Guidance can be downloaded from the http://www.belkin.com website at any time. The evaluated TOE configuration does not include any peripherals or computer components, but do include supplied computer interface cables and a Remote Desktop Controller attached to the TOE. The following figure depicts the TOE and its environment. It should be noted that some TOE models support the operation of multiple user displays. Page | 9 ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 1.3.3 Evaluated Environment This table identifies hardware components and indicates whether or not each component is in the TOE or Environment. Page | 10 ...
Page 11
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 TOE / Component Description Environment TOE TOE Belkin Secure 2‐port DVI‐I KVM Switch w/audio and CAC ‐ Model Hardware F1DN102C Or Belkin Secure 2‐port DVI‐D KVM Switch w/audio ‐ Model F1DN102F Or Belkin Secure 4‐port DVI‐I KVM Switch w/audio – Model F1DN104B Or Belkin Secure 4‐port DVI‐I KVM Switch w/audio and CAC ‐ Model F1DN104G Or Belkin Secure 8‐port DVI‐I KVM Switch w/audio and CAC ‐ Model F1DN108C Or ...
Page 12
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 TOE TOE Or Hardware Belkin Secure 4‐port KM Switch w/audio ‐ Model F1DN104K Or Belkin Secure 8‐port KM Switch w/audio ‐ Model F1DN108K Or Belkin Secure 4‐port Windowing KVM‐ Model F1DN104M And Belkin Desktop Controller Unit (DCU) Model F1DN003R Page | 12 ...
Page 13
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Environment USB Mouse and keyboard compatible with: Shared Logitech mouse MX518 Peripheral Logitech mouse M‐UV96 Port Group Microsoft mouse 1.1A Member Logitech mouse G500 Logitech mouse M‐V0007 Teac mouse M52 Microsoft IntelliMouse Explorer 2.0 and 3.0 Logitech Comfort Mouse and Keyboard Dell USB mouse models: 0CJ3339, CU036 Dell Keyboard models: SK‐8115, 0N242F, L100, TH826 Microsoft keyboard 2000, Model 1047, KU‐0459 Microsoft keyboard RT9450 Lenovo keyboard SK‐8825 (L) Environment USB User Authentication Device compatible with: Shared ...
Page 14
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 TOE BELKIN KVM Cables (as needed): Cables for connection of Host Description Computers F1D9012b06 Belkin P/N F1D9012b06, Secure KVM Cable Kit, to DVI, USB & Audio, black, shielded (6 ft. = 180 Peripheral cm). Port Group F2E4141B10D Belkin P/N F2E4141B10DD‐RT, Belkin Pro Series D‐RT DVI‐D Dual‐Link M to M Cable, shielded (10 ft. = 300 cm). CWR05114 Belkin RJ‐14 to RJ‐14 DCU cable, unshielded (6 ft. = 180 cm) F1D9013b10 Belkin P/N F1D9013b10, CAC USB cable, black, shielded (10ft = 300 cm) ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Environment Operational Host Computers Qty 2,4,8 or 16 based on KVM model used Environmen t Host Any hardware platform supporting the following Operating Computer Systems: resources Windows 2000 Professional –service pack 4 MS Windows XP (Home/Pro) –service pack 3 MS Windows 2003 Server – latest released service pack MS Windows Vista – 32/64bit MS Windows 7 – 32/64bit Apple OS X v10.4 and higher Red Hat Linux Desktop – latest released version Red Hat Enterprise Linux WS – latest released version Ubuntu 9.10 Linux – latest released version with USB HID support and single or dual DVI or DP monitor output support. Table 1: Evaluated TOE and Environment Components 1.3.4 Guidance Documents The following guidance documents are provided with the TOE upon delivery in accordance with EAL 4 requirements: Product user’s manual All documentation delivered with the product is relevant to and within the scope of the TOE. Latest documentation may be found at BELKIN web‐site: http://www.belkin.com/Product_Docs.html 1.3.5 TOE Features Outside of Evaluation Scope This section identifies any items that are specifically excluded from the TOE. Pointing device driver (software) used with KM models TOE to support multiple display ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 1.3.6 Logical Scope of the TOE The TOE logical scope and boundary consists of the security functions/features provided/controlled by the TOE. The TOE provides the following security features: Data Separation (TSF_DSP), Security Management (TSF_MGT), Protection of the TSF (TSF_TMP), Visual Indication Rule (EXT_VIR), Invalid USB Connection (EXT_IUC), Read‐Only ROMs (EXT_ROM) The TOE implements the Data Separation Security Function Policy (SFP) as outlined in Section 2 of the claimed Protection Profile. In operation, the TOE is not concerned with the user ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 be accepted by the TOE only if it is qualified. A non‐qualified (UNAUTHORIZED) USB device will be blocked by the TOE and cannot be used. Protection from invalid USB devices is accomplished as explained in more detail in Section 7 of this ST. The TOE design uses read only non‐volatile memory components to prevent any possibility of a remote tampering attack intended to modify TOE security functionality. Read Only Memory protection is accomplished as explained in more detail in Section 7 of this ST. 1.4 Organization ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Section 6 presents the Security Functional Requirements (SFRs) met by the TOE, and the security functional requirements rationale. In addition, this section presents Security Assurance Requirements (SARs) met by the TOE, as well as the assurance requirements rationale. Summary Specification (Section 7) This section describes the security functions provided by the TOE and how they satisfy the security functional requirements. It also describes the security assurance measures for the TOE and the rationale for the assurance measures. ...
Page 19
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Authorized User A USER who has been granted permission to interact with the TOE and all of its CONNECTED PERIPHERALS. Computer A programmable machine. The two principal characteristics of a computer are: it responds to a specific set of instructions in a well‐defined manner, and it can execute a prerecorded list of instructions (a software program). For the purposes of this ...
Page 20
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Interface The CONNECTION and interaction between hardware, software, and the USER. Input Device Any machine that feeds data into a . This includes COMPUTER scanners, touch screens, and voice response systems. Keyboard A DEVICE which converts the physical action of a USER such as the depressing of one or more buttons into electronic signals corresponding to the bitwise symbol for a character in some form of electronic alphabet. The most common example is the ...
Page 21
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 COMPUTER directly CONNECTED to the SWITCH. Each SWITCHED COMPUTER Group has a unique logical ID. The shared Group ID is the same as that of the SWITCHED COMPUTER Group currently selected by the SWITCH. Plug and Play A standardized interface for the automatic recognition and installation of interface cards and devices on a PC. Pointing Device A DEVICE, which convert relative positioning motion from a human operator into positioning information on a MONITOR. ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 1.6.2 Acronyms CAC Common Access Card CM Configuration Management DCU Desktop Control Unit DPP Dedicated Peripheral Port DVI Display Visual Interface (VESA Standard) EAL Evaluation Assurance Level EDID Extended Display Identification Data (VESA Standard) EEPROM Electrically Erasable Programmed Read Only Memory ID Identification IT ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Conformance Claims This section describes the conformance claims of this Security Target. 2.1 Common Criteria Conformance Claims The Security Target is based upon: 1. Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model; Version 3.1, Revision 3, dated July 2009. 2. Common Criteria for Information Technology Security Evaluation, Part 2: Security Assurance Components; Version 3.1, Revision 3, dated July 2009. 3. Common Criteria for Information Technology Security Evaluation, Part 3: Security ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Security Problem Definition This section describes assumptions about the operational environment in which the TOE is intended to be used and represents the conditions for the secure operation of the TOE. Note: The content in this section is appears in the Security Problem Definition of the claimed PSS PP and is copied here for completeness. 3.1 Secure Usage Assumptions The Security Objectives and Security Functional Requirements defined in subsequent sections of this Security Target are based on the condition that all of the assumptions described in this section are satisfied. Assumption Definition A.ACCESS An AUTHORIZED USER possesses the necessary privileges to access the ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 4. An unidentified threat agent attacking the TOE and/or its coupled PERIPHERALS. 3.2.1 Threats Addressed by the TOE “Threats to Security” Section 3.2 of the claimed Protection Profile identifies the following threats to the assets against which specific protection within the TOE is required: Threat Definition T.INVALIDUSB The AUTHORIZED USER will connect UNAUTHORIZED USB devices to the peripheral switch. T.RESIDUAL RESIDUAL DATA may be transferred between PERIPHERAL PORT GROUPS with different ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 3.2.2 Threats addressed by the IT Operating Environment The Protection Profile claimed identifies no threats to the assets against which specific protection within the TOE environment is required. 3.3 Organizational Security Policies The Protection Profile claimed identifies no Organizational Security Policies (OSPs) to which the TOE must comply. Page | 26 ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Security Objectives This chapter describes the security objectives for the TOE and the Operational Environment. The security objectives are divided between TOE Security Objectives (for example, security objectives addressed directly by the TOE) and Security Objectives for the Operating ...
Page 28
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 and EDID data will flow only from PERIPHERAL DEVICES to the SWITCHED COUPLED COMPUTER. The TOE Device provides unambiguous detection of physical tampering O.TAMPER of the TSF's devices or TSF's enclosure, and permanently disables TOE normal functionality after such an event. Table 4: TOE Security Objectives definitions Page | 28 ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 4.2 Security Objectives for the Operational Environment The following IT security objectives for the environment are to be addressed by the Operational Environment by technical means. Environment Security Definition Objective OE.ACCESS The AUTHORIZED USER shall possess the necessary privileges to access the information transferred by the TOE. USERS are AUTHORIZED USERS. OE.MANAGE The TOE shall be installed and managed in accordance with the manufacturer’s directions. OE.NOEVIL ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 4.3 Rationale This section demonstrates that each threat, organizational security policy, and assumption are mitigated by at least one security objective for the TOE, and that those security objectives counter the threats, enforce the policies, and uphold the assumptions. Threats, Policies, Assumptions ● ● T.INVALIDUSB ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 4.3.1 TOE Security Objectives Rationale Threats, Policies, and Summary Objectives and rationale Assumptions T.INVALIDUSB O.USBDETECT O.USBDETECT This objective will ensure detection This objective will detect the The AUTHORIZED USER of the connection of an UNAUTHORIZED device will connect UNAUTHORIZED USB device to the connection to the TOE Console ...
Page 32
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 GROUP ID. important for DEVICES with bi‐ directional communications channels such as KEYBOARD and POINTING DEVICES. Since many PERIPHERALS now have embedded microprocessors or microcontrollers, significant amounts of information may be transferred from one COMPUTER system to another, resulting in ...
Page 33
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 T.INFECTED O.ROM O.ROM TOE may be attacked by TOE software/firmware shall be This Objective assures that TOE a coupled COMPUTER protected against unauthorized software/firmware will be that was infected by a modification. Embedded software protected against unauthorized malicious code inserted must be contained in mask‐ modification. Embedded by an unidentified threat ...
Page 34
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 selection methods are used by most (if not all) current market products. Automatic switching based on scanning shall not be used as a selection mechanism. T.PERIP O.ROM O.ROM A USER may connect to TOE software/firmware shall be This Objective assures that TOE the TOE a qualified protected against unauthorized software/firmware will be PERIPHERAL DEVICE that modification. Embedded software ...
Page 35
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 embedded microprocessors or microcontrollers, significant amounts of information may be transferred from one COMPUTER system to another, resulting in compromise of sensitive information. An example of this is transfer via the buffering mechanism in many KEYBOARDS. ...
Page 36
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 been altered. O.UNIDIR O.UNIDIR This objective will ensure that TOE circuitry shall assure that USER console KEYBOARD and KEYBOARD, USER POINTING DEVICE POINTING DEVICE data will only and EDID data will flow only from flow through the TOE in one ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 4.3.2 Security Objectives Rationale for the Operational Environment Threats, Policies, and Summary Objectives and rationale Assumptions A.ACCESS OE.ACCESS All authorized users are trustworthy individuals, having An AUTHORIZED USER The AUTHORIZED USER shall background investigations possesses the necessary possess the necessary privileges to commensurate with the level of ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 4.4 Rationale for Organizational Policy Coverage There are no Organizational Policies for this TOE. Page | 38 ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Extended Components Definition The Extended Components Definition describes components for security objectives which cannot be translated or could only be translated with great difficulty to existing requirements. Extended Security Functional Requirements (Explicit) EXT_VIR.1 Visual Indication Rule EXT_IUC.1 Invalid USB Connection EXT_ROM.1 Read‐Only ROMs Table 9: Extended SFR Components 5.1 Class EXT: Extended Visual indications Visual confirmation provides the user with important information regarding the current connection made through the TOE. This allows the user to confirm that the data is being ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Hierarchical to: No other components. Dependencies: No dependencies. EXT_VIR.1.1 A visual method of indicating which COMPUTER is CONNECTED to the shared set of PERIPHERAL DEVICES shall be provided that is persistent for the duration of the CONNECTION. Application Note: Does not require tactile indicators, but does not preclude their presence. 5.2 Class EXT: Extended ‐ Invalid USB Connection (EXT_IUC) ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 EXT_IUC.1.1 All USB devices connected to the Peripheral switch shall be interrogated to ensure that they are valid (pointing device, keyboard, user authentication device, display). No further interaction with non‐valid devices shall be performed. 5.3 Class EXT: Extended – ROM (EXT_ROM) The ROM requirement protects the TOE from remote tampering by re‐programming of programmable components in the TOE. The use of non‐volatile memory with mask ROM, OTP (One Time Programming) or fused write protection assures that firmware may not be changed ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 5.4 Rationale for Explicitly Stated Security Requirements The Explicit SFRs in this Security Target are from the claimed Protection Profile. Page | 42 ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Security Requirements This section defines the IT security requirements that shall be satisfied by the TOE or its environment. The CC divides TOE security requirements into two categories: Security functional requirements (SFRs) (such as, identification and authentication, security management, and user data protection) that the TOE and the supporting ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Table 10: TOE Security Functional Requirements summary 6.1.1 Class FDP: User Data Protection 6.1.1.1 FDP_ETC.1 Export of user data without security attributes Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control, or FDP_IFC.1a subset information flow control FDP_ETC.1.1 The TSF shall enforce the Data Separation SFP when exporting user data, controlled under the SFP(s), outside of the TOE. FDP_ETC.1.2 The TSF shall export the user data without the user data’s associated security attributes. 6.1.1.2 FDP_IFC.1a Subset Information Flow Control (Data Separation) Hierarchical to: No other components. Dependencies: FDP_IFF.1a Simple security attributes FDP_IFC.1.1a The TSF shall enforce the Data Separation SFP on the set of ...
Page 45
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Dependencies: FDP_IFC.1a Subset information flow control FMT_MSA.3 Static attribute initialization FDP_IFF.1.1a The TSF shall enforce the Data Separation SFP based on the following types of subject and information security attributes: PERIPHERAL PORT GROUPS (SUBJECTS); KEYBOARD PERIPHERAL DATA, POINTING DEVICE PERIPHERAL DATA, EDID PERIPHERAL DATA, and USER AUTHENTICATION DEVICE PERIPHERAL DATA (OBJECTS), and PERIPHERAL PORT GROUP IDs (ATTRIBUTES). FDP_IFF.1.2a The TSF shall permit an information flow between a controlled subject ...
Page 46
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 FDP_IFF.1.1b The TSF shall enforce the Unidirectional Forced Data Flow SFP based on the following types of subject and information security attributes: o PERIPHERAL PORT GROUPS (SUBJECTS); o KEYBOARD PERIPHERAL DATA, POINTING DEVICE PERIPHERAL DATA, EDID PERIPHERAL DATA, and USER AUTHENTICATION DEVICE PERIPHERAL DATA (OBJECTS), and o PERIPHERAL PORT GROUP IDs (ATTRIBUTES). FDP_IFF.1.2b The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: Unidirectional flow Rule: KEYBOARD PERIPHERAL DATA, POINTING DEVICE PERIPHERAL DATA and EDID PERIPHERAL DATA can flow only from the PERIPHERAL DEVICE to the CONNECTED COMPUTER. Flow in the reverse direction must be prevented by hardware. Separation Rule: USER AUTHENTICATION DEVICE DATA must be separated from all other PERIPHERAL DATA. FDP_IFF.1.3b The TSF shall enforce the No additional information flow control ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 6.1.1.6 FDP_ITC.1 Import of User Data Without Security Attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1a Subset information flow control] FMT_MSA.3 Static attribute initialization FDP_ITC.1.1 The TSF shall enforce the Data Separation SFP when importing user data, controlled under the SFP, from outside the TOE. FDP_ITC.1.2 The TSF shall ignore any security attributes associated with the user data when imported from outside the TOE. FDP_ITC.1.3 The TSF shall enforce the following rules when importing user ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 6.1.2.2 FMT_MSA.3 Static attribute initialization Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of Security Attributes FMT_SMR.1 Security roles FMT_MSA.3.1 The TSF shall enforce the Data Separation SFP to provide restrictive default values for security attributes that are used to enforce the SFP. Application Note: On start‐up, one and only one attached COMPUTER shall be selected. ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 6.2 Explicitly Stated Requirements for the TOE This ST contains the explicitly stated requirement for the TOE as specified in Section 5.1.3 of the claimed Protection Profile. It has been reproduced here: EXT_VIR.1 Visual Indication Rule Hierarchical to: No other components. Dependencies: None EXT_VIR.1.1 A visual method of indicating which COMPUTER is CONNECTED to the shared set of PERIPHERAL DEVICES shall be provided that is persistent for the duration of the CONNECTION. Application Note: Does not require tactile indicators, but does not preclude their ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 6.3 Rationale For TOE Security Requirements The section below demonstrates the tracing of Security Functional Requirements to Security Objectives and describes the applicable rationale based on direct reference from the claimed Protection Profile. 6.3.1 TOE Security Functional Requirements Tracing & Rationale Objectives SFRs ● FDP_ETC.1 ●...
Page 51
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Table 11: SFR and Security Objectives Mapping Objective SFR Addressing the Rationale Objective O.CONF FDP_ETC.1 (Export of User FDP_ETC.1: In typical TOE Data Without Security applications, USER data consists The TOE shall not violate the Attributes) of HUMAN INTERFACE DEVICE confidentiality of control information. Also information, which it included is configuration processes. Information information such as KEYBOARD ...
Page 52
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 FDP_IFF.1a (Simple This requirement identifies the Security Attributes) security needed to ATTRIBUTES detail the operation of a switch and the rules allowing information transfer. This requirement is a dependency of FDP_IFC.1a. FDP_IFF.1b (Simple FDP_IFF.1b: This requirement Security Attributes ‐ identifies the security ...
Page 53
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 requirement for visual indication. O.ROM EXT_ROM.1 (Read‐Only EXT_ROM.1: implements the ROMs) O.ROM objective directly. While TOE software/firmware shall there might be other ways to be protected against protect embedded TSF code on unauthorized modification. a ROM (programmable or not), ...
Page 54
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 Attribute Initialization) GROUP selection based on a physical switch position or a manufacturer’s specified sequence for choosing among the CONNECTED COMPUTERS (CONNECTED here implies powered on). This requirement is a dependency of FDP_IFF.1a and FDP_ITC.1. O.USBDETECT EXT_IUC.1 (invalid USB EXT_IUC.1: Upon detection of ...
Page 55
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 O.TAMPER FPT_PHP.1 (Passive FPT_PHP.1: The TOE is required detection of physical to provide unambiguous The TOE Device provides attack) detection of any potential unambiguous detection of physical modification or physical tampering of the unauthorized internal access to TSF's ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 6.4 Rationale For IT Security Requirement Dependencies This section includes a table of all the security functional requirements and their dependencies and a rationale for any dependencies that are not satisfied. Functional Component Dependency Satisfied FDP_ETC.1 FDP_ACC.1 or FDP_IFC.1 Yes, FDP_IFC.1(a) FDP_IFC.1a FDP_IFF.1a Simple security attributes Yes FDP_IFC.1b FDP_IFF.1b Simple security attributes Yes FDP_IFC.1a Subset information flow Yes control FDP_IFF.1a FMT_MSA.3 Static attribute initialization Yes FDP_IFC.1b Subset information flow Yes control FDP_IFF.1b FMT_MSA.3 Static attribute initialization Yes FDP_ACC.1 or FDP_IFC.1 Yes, FDP_IFC.1a FDP_ITC.1 FMT_MSA.3 Yes FDP_ACC.1 or FDP_IFC.1 Yes, FDP_IFC.1a and ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 6.5 Dependencies Not Met FMT_SMR.1 (Security roles) and FMT_SMF.1 (Specification of management functions). The TOE is not required to associate USERS with roles; hence, there is only one “role”, that of USER. This deleted requirement, a dependency of FMT_MSA.1 and FMT_MSA.3, allows the TOE to operate normally in the absence of any formal roles. Accordingly, no management of security functions of the TOE is required. Therefore, no management functions are specified. Page | 57 ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 6.6 Security Assurance Requirements The table below is provides a list of claimed assurance components for each class. Assurance Class Assurance Assurance Components Description Component ID Development ADV_ARC.1 Security architecture description ADV_FSP.4 Complete functional specification ADV_IMP.1 Implementation representation of the TSF ADV_TDS.3 Basic modular design Guidance Documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures Life Cycle Support ALC_CMC.4 Product support, acceptance procedures and automation ALC_CMS.4 Problem tracking CM coverage ALC_DEL.1 Delivery procedures ALC_DVS.1 Identification of security measures ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 6.7 Rationale for Security Assurance The EAL 4 + ALC_FLR.3 were chosen to provide an adequate level of independently assured security. The chosen assurance level is consistent with the threat environment where an attacker may be assumed to have an attack potential of Enhanced‐Basic. This has been augmented with ALC_FLR.3 in accordance with commercial requirements for this TOE type and in accordance ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 TOE Summary Specification This section presents an overview of the security functions implemented by the TOE and the Assurance Measures applied to ensure their correct implementation. 7.1 User Data Protection – Data Separation (TSF_DSP) The TOE implements the Data Separation Security Function Policy (SFP) as outlined in Section 2 of the claimed Protection Profile. The Data Separation Security Function Policy implemented in the TOE is enhanced compared to the requirements that were defined by the claimed Protection Profile. The TOE PERIPHERAL DATA flow path design is based on the following features: Isolated device emulators per coupled computer to prevent any direct interface between the TOE shared resources and connected computers. ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 It should be noted here that this TOE may switch the User Authentication Device PERIPHERAL DATA to a second COMPUTER based on user selection. The TOE may contain up to seven separate types of switching modules (model specific): Keyboard and pointing device; Display EDID; Analog display; Digital display; DP display; Audio output; and User Authentication device. The types of digital data and analog signals processed by the TOE are: keyboard data (USB or PS/2), pointing device data (USB or PS/2), Display Channel Plug & Play (EDID) information, ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 The TOE design provides clear and continuous visual indication of the selected channel through one or more of the following (model specific): front panel LEDs illuminated for each channel number selected, DCU display text highlighting, and windows frame colors (in Windowing KVM models). The PERIPHERAL PORT GROUP is connected to COMPUTER #1 by default upon completion of the self‐check. This static setting cannot be modified. Functional Requirements Satisfied: FMT_MSA.1, FMT_MSA.3, EXT_VIR.1 7.3 Protection of the TSF (TSF_TMP) ...
Belkin® Secure DVI KVM Switch, Secure KM Switch and Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target Rev. 1.01 7.5 Read‐Only Memory (TSF_ROM) The non‐volatile memory of the TOE functions as a ROM (Read Only Memory). The flash memory located within the microcontroller includes microscopic lock fuses that function as OTP (One Time Programmable) devices. During TOE production, following programming and testing, these lock fuses are activated (or burned) to protect the flash memory from further ...