Belkin® Secure DVI KVM Switch, Secure KM Switch and
Secure Windowing KVM EAL 4 augmented ALC_FLR.3 Security Target
7
TOE Summary Specification
This section presents an overview of the security functions implemented by the TOE and the
Assurance Measures applied to ensure their correct implementation.
7.1 User Data Protection – Data Separation (TSF_DSP)
The TOE implements the Data Separation Security Function Policy (SFP) as outlined in Section 2
of the claimed Protection Profile. The Data Separation Security Function Policy implemented in
the TOE is enhanced compared to the requirements that were defined by the claimed
Protection Profile.
The TOE PERIPHERAL DATA flow path design is based on the following features:
Isolated device emulators per coupled computer to prevent any direct interface
between the TOE shared resources and connected computers.
Host emulators to interface with connected peripherals, thus isolating external
peripherals from TOE internal circuitry and from connected computers.
Optical data diodes to enforce unidirectional data flow between host emulators and
device emulators.
Multiplexer (switch) to enable selection of just one data source at any given time.
This peripheral data path design provides higher assurance that data confidentiality will be
maintained even when targeted attacks are launched against the TOE.
The TOE design does not mix PERIPHERAL DATA having different IDs or security attributes, and
therefore internal TOE user data security attributes are neither generated nor used. This design
therefore satisfies Functional Requirement FDP_ETC.1, that covers user data export and
FDP_ITC.1 that covers user data import.
Unidirectional optical data diodes are used in the PERIPHERAL PORT GROUP traffic to assure
that PERIPHERAL DATA can only flow from the SHARED PERIPHERAL DEVICEs to the
COMPUTERs. This design prevents the COMPUTERS from interacting directly with the SHARED
PERIPHERAL DEVICEs and therefore satisfies Functional Requirements FDP_IFC.1b and
FDP_IFF.1b.
The TOE design uses a data multiplexer that only allows PERIPHERAL DATA to flow from the
PERIPHERAL PORT GROUP to one COMPUTER at a time based on the selected ID. This is
implemented through the switching mechanism of the TOE, and satisfies Functional
Requirements FDP_IFC.1a and FDP_IFF.1a.
The Data Separation Security Functional Policy – "the TOE shall allow peripheral data and state
information to be transferred only between peripheral port groups with the same ID" is assured
through the use of a single unidirectional channel select control bus to drive all TOE switching
functions simultaneously. This design further satisfies the Functional Requirements FDP_IFC.1a
and FDP_IFF.1a.
Rev. 1.01
Page | 60