Guides & Articles

Top IP KVM Security Elements

Critical Systems

Security is one of the greatest concerns in critical environments, where knowledge workers monitor real-time data, analyze it, and make crucial decisions. Here and in many other environments, IP KVM extenders are deployed to secure computer assets in server rooms and enable users to control them from a distance, thereby preventing hardware tampering and interruptions to day-to-day operations. With the threat of cyber-attacks on the rise however, it becomes imperative to deploy IP KVM extenders offering key security features that are in line with an organization’s IT security policies and guidelines.

Information Security Principles (CIA Triad)

info security principles
Information security principles guide organizations in developing policies, procedures, and processes to help maintain the confidentiality, integrity, and availability of business information.
  • Confidentiality - Protect the privacy of the information - making sure that only users with correct privileges can see or use the information.
  • Integrity - Prevents a third-party from modifying the information before reaching its target or destroying it altogether.
  • Availability - Ensures that the information is accessible when the user needs access to it, and that the overall network is resilient when there is a single point of failure.

Key Security Features

IP security has been around for several decades. Both data and telephone over IP have already gone through multiple generations of constant iterative improvements on security, which directly benefit IP KVM deployments. IP KVM extension and switching solutions transport audio, video, and control signals of the computer system to a remote user station over standard networking infrastructure. Therefore, it becomes important to select a solution that offers key security features to help protect the confidentiality, integrity, and availability of the systems that are part of the KVM network.
 

Encryption technologies

Encryption is a process whereby the IP KVM extender converts the A/V and/or USB signals into obscure code to prevent unauthorized access during transmission. Encryption thus protects the confidentiality of the transmitted signals during transport. The ability to encrypt packetized video, audio, and USB is considered by some as being superior to traditional baseband video transmission if there is a concern that someone might try to hack and snoop the feeds. IP KVM extenders that support encryption securely distribute audio, video, and USB signals over the IP network. They also maintain the integrity of the transmitted data by preventing third-parties from modifying the content during transport.
 
Advanced encryption standard (AES) is one of the most secure data encryption standards accepted worldwide. It was established in 2001 by the National Institute of Standards and Technology (NIST), which is a branch of the US government. Some IP KVM extenders use the AES standard for encrypting the data and passwords.
 
AES 128-bit and AES 256-bit standards use a symmetric encryption algorithm where a single key is used to encrypt and decrypt the data. In KVM applications, it is important to not only protect the audio and video signals, but also the USB signals by encrypting keystrokes for entering passwords safely and to safeguard confidential information.

Communication and control channels

IP KVM extender units communicate with each other and exchange commands—for example, when the receiver unit needs to switch and connect to another transmitter unit (source system). These types of commands between KVM devices need to be transmitted over a secure communication channel, such as Hypertext Transfer Protocol Secure (HTTPS), to prevent tampering with the KVM network by either rerouting signals or interrupting operation.
 
HTTPS runs over a Transport Layer Security (TLS) connection. TLS is an industry-standard protocol for secure communication over the network. It is an improved version of Secure Socket Layer (SSL). TLS uses asymmetric encryption (both public and private) to protect the transported information, and relies on digital certificates to validate the identity of the transmitter and receiver devices. A secure communication and control channel within the KVM network is critical in maintaining the confidentiality and integrity of the extended A/V, USB, and control signals. This command-and-control layer can be further protected with permissions and passwords.
log in icon

Permissions and passwords

Different security levels can be defined by setting up user permissions and passwords. User permissions allow to define which source systems a user can connect to, and from which remote station they can access the systems.
 
Local users or domain-based users can be created through Microsoft Active Directory or other domain servers. Each user will then need to log into the receiver unit to view the list of transmitter units or source systems they can connect to. IT professionals also recommend using strong passwords and changing them on a regular basis. Multi-level sign-on adds another layer of security—the user will be made to sign into the KVM receiver device and also into the source system.
radius icon

Port-based authentication

A strong form of authentication is provided by the IEEE 802.1x standard—a port-based network access control for wired and wireless devices. IEEE 802.1x standard blocks rogue devices from communicating over a protected network and potentially disrupting operation. The network switch blocks traffic to and from any new device that wants access to the network until it is authenticated by a central server, typically a RADIUS (Remote Authentication Dial In User Service) server. It verifies the identity of the new device and only then authorizes the device to join the network.”
usb virus icon

Whitelisting USB devices

Viruses could enter systems through infected USB storage devices or thumb drives. Blocking the operation of USB 2.0 devices on an IP KVM receiver is one way of preventing such intrusions. This is typically done at the product level, where the IP KVM extenders allow connecting to only USB HID devices such as keyboard and mouse, and block all USB 2.0 transactions. For applications that require USB 2.0 support, high-performance IP KVM extenders give administrators the ability to whitelist authorized USB 2.0 devices and protect systems from attacks.

Network segmentation

A network is composed of various types of devices including computers, servers, IP KVM transmitter and receiver devices, among others. Each device has a different function, and transmits or processes information at different classification levels. The network infrastructure binds all these devices or nodes together—if one node gets infected, the attack could easily spread to the whole network.
 
Segmentation divides the network by function—where each function has a different security requirement. Segmentation by function prevents an attacker from freely moving through the network and further spreading the attack. Networks can be logically segmented by function or traffic type through the creation of virtual LANs (VLAN) and firewalls—for example, the KVM traffic could be on a separate VLAN than the data traffic. Tighter security control is achieved by physically segregating the networks, and having a completely separate infrastructure for each function. This means, having a separate set of servers, switches, and routers forthe KVM network.
 
In critical environments—such as military, financial, energy, and utilities markets—air-gapped networks are a common practice, where the KVM network is not connected to the public internet or unsecured LANs. Using fiber optic cables to route the networks also brings in another layer of security. Fiber optic cables are more difficult to snoop than CAT5, and support longer distances, thereby minimizing junctions and potential attack points.

Align with IT Security Policies

network segmentation
While there is no substitute for knowledge and responsible deployment efforts when it comes to securing networks, IP KVM extenders with key security features help to align with an organization’s IT security policies and procedures. The right IP KVM extension and switching solution is equally, or even more secure than traditional matrix KVM switching solutions. When banking can be done over IP, why not your desktop content?

Matrox Secure IP KVM extenders

Matrox® offers secure, high-performance IP KVM solutions that integrate seamlessly into your existing IT infrastructure. Matrox® Extio 3 is the world’s first IP KVM extender capable of supporting 4Kp60 or quad 1080p60 4:4:4 video, keyboard, mouse, USB 2.0, and audio at unprecedented low-bitrates over a standard Gigabit Ethernet network. Designed to ease integration and provide operational flexibility for information sharing, fast decision-making, and intuitive collaboration, the Matrox Extio 3 IP KVM extender is ideal for a wide range of secure extension and switching applications.
 
 
Key Features Extio 3 IP KVM Extenders
A/V encryption
USB encryption
Secure communication
Password-protected environment
User authentication
Active Directory support
Allow only USB HID devices
Whitelist USB 2.0 devices
Port-based authentication

Ready to learn more?

See how Matrox Extio 3 IP KVM can help.

Request more info

 

Resources

 Top IP KVM Security Factors Guide

 

Related Guides