IOGear CS1222TAA4, Manual

Page 1: ...M Switch Series Non CAC Models Security Target Version 1 1 2022 03 08 Prepared for 15365 Barranca Pkwy Irvine CA 92618 Prepared by Common Criteria Testing Laboratory 6841 Benjamin Franklin Drive Columbia Maryland 21046 ...

Page 2: ...sion Author Modifications 0 1 Leidos Initial Version 0 2 Leidos Revisions based on vendor and evaluation reviews 0 3 Leidos Updates for validator check in comments 1 0 Leidos Minor updates for evaluator comments 1 1 Leidos Updates for validator check out comments ...

Page 3: ...ectives 16 4 1 Security Objectives for the Operational Environment 16 5 IT Security Requirements 17 5 1 Extended Requirements 17 5 2 TOE Security Functional Requirements PSD MOD_AO_V1 0 MOD_KM_V1 0 18 5 2 1 Security Audit FAU 19 5 2 2 User Data Protection FDP 20 5 2 3 Identification and Authentication FIA 24 5 2 4 Security Management FMT 25 5 2 5 Protection of the TSF FPT 25 5 2 6 TOE Access FTA 2...

Page 4: ...EXT 2 PSD Switching Methods FDP_SWI_EXT 3 Tied Switching 36 6 2 9 TOE Video Security Function 36 6 3 Identification and Authentication FIA_UAU 2 FIA_UID 2 38 6 4 Security Management 38 6 4 1 FMT_MOF 1 Management of Security Functions Behavior 38 6 4 2 FMT_SMF 1 Specification of Management Functions 38 6 4 3 FMT_SMR 1 Security Roles 39 6 5 Protection of the TSF 39 6 5 1 FPT_FLS_EXT 1 Failure with P...

Page 5: ...ecurity Functional Components 18 Table 8 Audio Filtration Specifications 20 Table 9 TOE Security Functional Components DP Models 27 Table 10 TOE Security Functional Components H Models 28 Table 11 TOE Security Functional Components D Models 29 Table 12 Assurance Components 30 Table 13 Supported protocols by port 34 Table 14 DP Models 36 Table 15 H Models 37 Table 16 D Models 37 Table 17 SFR Protec...

Page 6: ...1 ST Date 2022 03 08 Target of Evaluation TOE Identification IOGEAR Secure KVM Switch Series Non CAC Models TOE Versions The following table identifies the model numbers per configuration The firmware version for all models is v1 1 101 Table 1 IOGEAR Secure KVM Switch TOE Models Configuration 2 Port 4 Port 8 Port DisplayPort Single Head GCS1412TAA4 GCS1414TAA4 GCS1418TAA4 Dual Head GCS1422TAA4 GCS...

Page 7: ...alog Audio Output Devices Version 1 0 19 July 2019 MOD_AO_V1 0 PP Module for Keyboard Mouse Devices Version 1 0 19 July 2019 MOD_KM_V1 0 o including the following optional and selection based SFRs FDP_FIL_EXT 1 KM FDP_RIP 1 KM and FDP_SWI_EXT 3 PP Module for Video Display Devices Version 1 0 19 July 2019 MOD_VI_V1 0 o including the following selection based SFRs FDP_CDS_EXT 1 FDP_IPC_EXT 1 FDP_SPR...

Page 8: ...n is identified with a slash and an identifier e g KM Additional iterations made by the ST author are defined with a reference in parentheses to the specific TOE models they apply to e g DP indicates the SFR only applies to DisplayPort models Though technically not an iteration FDP_IPC_EXT 1 also uses this convention to clarify that this requirement only applies to certain models Extended SFRs are...

Page 9: ...ity of a User to receive an indicator of the current Active Interface Non Selected Computer A Connected Computer that has no Active Interfaces with the PSD Peripheral Interface The PSD s physical receptacle or port for connecting to a Peripheral Device Peripheral Peripheral Device A Device with access that can be Shared or Filtered by a PSD Protection Profile PP An implementation independent set o...

Page 10: ...o authenticate to a computer e g smart card reader biometric authentication device proximity card reader User Data Information that the User inputs to the Connected Computer or is output to the User from the Connected Computer and including user authentication and credential information 1 3 2 Acronyms Table 3 Acronyms Acronym Definition ARC Audio Return Channel AUX Display Port Auxiliary Channel C...

Page 11: ...Security Target Version 1 1 2022 03 08 6 Acronym Definition PC Personal Computer PSD Peripheral Sharing Device RPS Remote Port Selector SFP Security Function Policy USB Universal Serial Bus ...

Page 12: ... the connected computers is active such that the peripherals connected to the console can be used to interact with the selected computer The TOE s console ports support USB keyboard and mouse analog audio out speakers and depending on model DisplayPort HDMI or DVI I display The TOE s computer ports support USB keyboard and mouse analog audio and depending on model DisplayPort HDMI or DVI I display...

Page 13: ...nal to HDMI The HDMI signal inside the KVM will be converted again to DisplayPort signal for output to the connected video display s and the AUX channel is monitored and converted to EDID The Secure KVM Switch products also support audio output connections from the computers to a connected audio output device Only speaker connections are supported and the use of an analog microphone or line in aud...

Page 14: ...f peripheral components Each peripheral has its own dedicated data path USB keyboard and mouse peripherals are filtered and emulated DisplayPort video from the selected computer is converted internally to HDMI then back to DisplayPort for communication with the connected video display and the AUX channel is monitored and converted to EDID The Secure KVM Switch products are designed to enforce the ...

Page 15: ...ility of data leakage from a user s peripheral output device to the input device ensures that no unauthorized data flows from the monitor to a connected computer and unidirectional buffers ensure that the audio data can travel only from the selected computer to the audio device There is no possibility of data leakage between computers or from a peripheral device connected to a console port to a no...

Page 16: ...heir own cable sets as long as the protocols are compatible but the vendor KVM cable sets are recommended The TOE was tested using the cable sets mentioned above and the following adapters G2LU3CHD02 USB C to HDMI cable G2LU3CDP12 USB C to DP cable GDPHD4KA Active DP to HDMI adapter GDPDVI4KA Active DP to DVI adapter While the cable sets and adapters were supplied they were not included in the eva...

Page 17: ...r a Class A digital device pursuant to Part 15 of the Federal Communications Commission rules If not installed and used in accordance with the guidance instructions the device may cause harmful interference to radio communications This evaluation did not test for RFI leakage of information 2 4 Logical Boundary This section summarizes the security functions provided by the TOE Security Audit User D...

Page 18: ...as USB device whitelist blacklist Once the Reset to Factory Default function has been completed the Secure KVM will terminate the Administrator Logon mode purge keyboard mouse buffer and power cycle the Secure KVM automatically 2 4 3 Identification and Authentication The TOE provides an identification and authentication function for the administrative user to perform administrative functions such ...

Page 19: ...r all devices in the evaluated configuration Guidance Documentation IOGEAR 2 4 8 Port USB DVI HDMI DisplayPort Single Dual View Secure KVM Switch Administrator s Guide Version 1 03 2021 5 5 IOGEAR Single Dual View Secure KVM Switch User Manual 2 4 8 Port USB DVI HDMI DisplayPort Version 1 03 2021 5 5 IOGEAR 2 4 8 Port USB DVI HDMI DisplayPort Single Dual View Secure KVM Switch Admin Log Audit Code...

Page 20: ...is expected to address and assumptions about the operational environment of the TOE In general the PSD has presented a Security Problem Definition appropriate for peripheral sharing devices The IOGEAR Secure KVM Switch Series supports KVM USB Keyboard Mouse analog audio out DisplayPort DVI I and HDMI video peripheral switch functionality by combining a 2 4 8 port KVM switch and an audio output por...

Page 21: ...crophones are not plugged into the TOE audio output interfaces OE NO_SPECIAL_ANALOG_CAPABILITIES from MOD_VI_V1 0 The operational environment will not have special analog data collection cards or peripherals such as analog to digital interface high performance audio interface or a component with digital signal processing or analog video capture functions OE NO_TEMPEST from PSD The operational envi...

Page 22: ...nd modules define the following extended SFRs and since they are not redefined in this ST the PSD and associated modules should be consulted for more information in regard to those CC extensions FDP_AFL_EXT 1 Audio Filtration FDP_APC_EXT 1 Active PSD Connections FDP_CDS_EXT 1 Connected Displays Supported FDP_FIL_EXT 1 KM Device Filtering Keyboard Mouse FDP_IPC_EXT 1 DP Internal Protocol Conversion...

Page 23: ...nt Class Requirement Component FAU Security Audit FAU_GEN 1 Audit Data Generation FDP User Data Protection FDP_AFL_EXT 1 Audio Filtration FDP_APC_EXT 1 AO Active PSD Connections Audio Output FDP_APC_EXT 1 KM Active PSD Connections Keyboard Mouse FDP_APC_EXT 1 VI Active PSD Connections Video Display FDP_CDS_EXT 1 Connected Displays Supported FDP_FIL_EXT 1 KM Device Filtering Keyboard Mouse FDP_PDC_...

Page 24: ...vation of Secure State FPT_NTA_EXT 1 No Access to TOE FPT_PHP 1 Passive Detection of Physical Attack FPT_PHP 3 Resistance to Physical Attack FPT_STM 1 Reliable Time Stamps FPT_TST 1 TSF Testing FPT_TST_EXT 1 TSF Testing FTA TOE Access FTA_CIN_EXT 1 Continuous Indications 5 2 1 Security Audit FAU 5 2 1 1 Audit Data Generation FAU_GEN 1 FAU_GEN 1 1 The TSF shall be able to generate an audit record o...

Page 25: ... 8 22 96 mV 19 43 0 14 15 mV 20 46 0 10 02 mV 30 71 4 0 53 mV 40 71 4 0 53 mV 50 71 4 0 53 mV 60 71 4 0 53 mV 5 2 2 2 Active PSD Connections Audio Output FDP_APC_EXT 1 AO FDP_APC_EXT 1 1 AO The TSF shall route user data only from the interfaces selected by the user FDP_APC_EXT 1 2 AO The TSF shall ensure that no data or electrical signals flow between connected computers whether the TOE is powered...

Page 26: ...a transits the TOE when the TOE is powered off FDP_APC_EXT 1 4 VI The TSF shall that no data transits the TOE when the TOE is in a failure state Application Note This SFR is originally defined in the Base PP but is refined and iterated to apply to the video interface per section 5 1 2 of the Video Display PP Module 5 2 2 5 Connected Displays Supported FDP_CDS_EXT 1 FDP_CDS_EXT 1 1 The TSF shall su...

Page 27: ...TSF shall allow connections with authorized devices presenting authorized interface protocols as defined in Appendix E of the AO Module and authorized devices presenting authorized interface protocols as defined in the PP Module for Keyboard Mouse Devices authorized devices presenting authorized interface protocols as defined in the PP Module for Video Display Devices upon TOE power up and upon co...

Page 28: ...n the PP Module for Audio Output Devices authorized devices presenting authorized interface protocols as defined in the PP Module for Keyboard Mouse Devices upon TOE power up and upon connection of a peripheral device to a powered on TOE 5 2 2 11 Authorized Connection Protocols Keyboard Mouse FDP_PDC_EXT 3 KM FDP_PDC_EXT 3 1 KM The TSF shall have interfaces for the USB keyboard USB mouse protocols...

Page 29: ...mouse peripheral devices are always switched together to the same connected computer 5 2 2 19 Unidirectional Data Flow Audio Output FDP_UDF_EXT 1 AO FDP_UDF_EXT 1 1 AO The TSF shall ensure analog audio output data transits the TOE unidirectionally from the TOE analog audio output computer interface to the TOE analog audio output peripheral interface 5 2 2 20 Unidirectional Data Flow Keyboard Mouse...

Page 30: ...The TSF shall maintain the roles administrators FMT_SMR 1 2 The TSF shall be able to associate users with roles 5 2 5 Protection of the TSF FPT 5 2 5 1 Failure with Preservation of Secure State FPT_FLS_EXT 1 FPT_FLS_EXT 1 1 The TSF shall preserve a secure state when the following types of failures occur failure of the power on self test and failure of the anti tamper function 5 2 5 2 No Access to ...

Page 31: ...grity of TSF 5 2 5 7 TSF Testing FPT_TST_EXT 1 FPT_TST_EXT 1 1 The TSF shall respond to a self test failure by providing users with a visual indication of failure and by shutdown of normal TSF functions 5 2 6 TOE Access FTA 5 2 6 1 Continuous Indications FTA_CIN_EXT 1 FTA_CIN_EXT 1 1 The TSF shall display a visible indication of the selected computers at all times when the TOE is powered FTA_CIN_E...

Page 32: ...e satisfied by DP Models which include the following GCS1412TAA4 GCS1414TAA4 GCS1418TAA4 GCS1422TAA4 GCS1424TAA4 and GCS1428TAA4 Table 9 TOE Security Functional Components DP Models Requirement Class Requirement Component FDP User Data Protection FDP_IPC_EXT 1 DP Internal Protocol Conversion FDP_PDC_EXT 3 VI DP Authorized Connection Protocols DP Models FDP_SPR_EXT 1 DP DP Sub Protocol Rules Displa...

Page 33: ...5 4 TOE Security Functional Requirements H Models The following table identifies the MOD_VI_V1 0 SFRs that are satisfied by H models which includes the following GCS1312TAA4 GCS1314TAA4 GCS1322TAA4 and GCS1324TAA4 Table 10 TOE Security Functional Components H Models Requirement Class Requirement Component FDP User Data Protection FDP_PDC_EXT 3 VI H Authorized Connection Protocols H Models FDP_SPR_...

Page 34: ...are satisfied by D models which includes the following GCS1212TAA4 GCS1214TAA4 GCS1218TAA4 GCS1222TAA4 GCS1224TAA4 and GCS1228TAA4 Table 11 TOE Security Functional Components D Models Requirement Class Requirement Component FDP User Data Protection FDP_PDC_EXT 3 VI D Authorized Connection Protocols D Models FDP_SPR_EXT 1 DVI I D Sub Protocol Rules DVI I Protocol D Models 5 5 1 User Data Protection...

Page 35: ...he TOE are included by reference from the PSD Table 12 Assurance Components Requirement Class Requirement Component Security Target ASE Conformance Claims ASE_CCL 1 Extended Components Definition ASE_ECD 1 ST Introduction ASE_INT 1 Security Objectives ASE_OBJ 2 Derived Security Requirements ASE_REQ 2 Security Problem Definition ASE_SPD 1 TOE Summary Specification ASE_TSS 1 Development ADV Basic Fu...

Page 36: ...in the text editor by entering the command LIST The event logs are divided into two types critical and non critical The Log Data Area displays the critical and non critical Log data Each logged event is recorded with Date Time a code that indicates the type of event and the outcome success or failure of the event The critical audit events recorded and identified in the code include administrator l...

Page 37: ...for details on TOE computer peripherals and connected computer port interfaces for each specific TOE model The TOE ensures that any previous information content of a resource is made unavailable upon the deallocation of the resource from the TOE computer interfaces immediately after a TOE switch to another selected computer and on start up of the TOE The Appendix A Letter of Volatility in Appendix...

Page 38: ...A4 each support two connected displays at a time 6 2 4 FDP_FIL_EXT 1 KM Device Filtering Keyboard Mouse FDP_PDC_EXT 3 KM Authorized Connection Protocols Keyboard Mouse The TOE supports authorized USB keyboard and mouse peripherals as defined in Table 13 Supported protocols by port below Keyboard mouse peripherals are filtered and emulated Device filtering for keyboard mouse interfaces is configura...

Page 39: ...mbedded in DisplayPort Video will be kept with HDMI video DVI Secure KVM Models do not have the ability to embed digital audio into digital video data transmission The TOE does not allow any other user data transmission to or from any other external entities including wireless devices The TOE only recognizes those peripherals with an authorized interface type as described below and all other perip...

Page 40: ...crocontroller Once the TOE is power cycled reset or port switching is detected the data in the console authorized keyboard mouse buffer will be deleted immediately and not processed for emulation Please refer to the Proprietary Isolation Document for more detail The TOE provides two functions to delete TOE stored configuration and settings After logging in authorized administrators can use the Res...

Page 41: ...ary channel AUX path blocks information flows other than the minimal set required to establish the video link Unauthorized DisplayPort transactions are prevented by disassembling the DisplayPort AUX channel transactions to block all unauthorized transactions The TOE video function filters the AUX channel by converting it to EDID only DisplayPort video is converted into HDMI video stream Monitor s ...

Page 42: ... read the connected display EDID information EDID from display to computer and HPD from display to computer are allowed for the HDMI interface The TOE blocks ARC CEC EDID from computer to display HDCP HEAC HEC and MCCS video display sub protocols The H Models satisfy the following SFRs FDP_PDC_EXT 3 VI H Authorized Connection Protocols Video Output H Model FDP_SPR_EXT 1 HDMI H Sub Protocol Rules H...

Page 43: ...in name parameter for the login function Customers are provided with a default password The administrator guide states that the administrator must change the password after the first successful logon The password is case sensitive and new passwords must contain at least 1 lower case letter at least 1 upper case letter at least 1 numeric character and at least 1 special character The supported spec...

Page 44: ...s to the TOE firmware software or its memory via its accessible ports is prevented No access is available to modify the TOE or its memory To mitigate the risk that a potential attacker will tamper with a TOE and then reprogram it with altered functionality the TOE software is contained in one time programmable read only memory permanently attached non socketed to a circuit assembly The TOE s opera...

Page 45: ...ut RPS connected will be permanently disabled and all the front panel LEDs except the Power LED will flash continuously A mechanical intrusion is detected by a pressure switch that trips when the enclosure is opened If a mechanical intrusion is detected by the RPS connected with the switch and aligned this will permanently disable both the RPS itself and the switch and all LEDs on RPS and the fron...

Page 46: ...ailure the TOE does not shut down The anti tampering self tests include the correct operation and tampering of the internal KVM and RPS batteries A KVM detecting tampering during normal operation will trigger the KVM inoperable A connected and aligned RPS detecting tampering including damaged or exhausted battery during normal operation will trigger the RPS inoperable and also directly trigger the...

Page 47: ...TOE by triggering a self test e g by powering on or rebooting the TOE and examining the front panel LEDs for self test failures as identified above The TOE performs self tests as described above to demonstrate the correct operation of active anti tamper functionality see also 6 5 3 FPT_PHP 6 6 TOE Access The TOE display a continuous visual indication of the computer to which the user is currently ...

Page 48: ...Security Target Version 1 1 2022 03 08 43 The TOE has a reset button that resets the switch to the default settings when pressed The switch is then powered up and behaves as described above ...

Page 49: ...ce As explained in Section 4 Security Objectives the Security Objectives of the PSD and modules have been included by reference in this ST The following table identifies all the Security Functional Requirements SFRs in this ST drawn from the PSD The only operations performed on the SFRs drawn from the PSD are assignment and selection operations Table 17 identifies the SFRs that are satisfied by th...

Page 50: ... MOD_VI_V1 0 FDP_SWI_EXT 1 PSD Switching PSD FDP_SWI_EXT 2 PSD Switching Methods PSD FDP_SWI_EXT 3 Tied Switching MOD_KM_V1 0 FDP_UDF_EXT 1 AO Unidirectional Data Flow Audio Output MOD_AO_V1 0 FDP_UDF_EXT 1 KM Unidirectional Data Flow Keyboard Mouse MOD_KM_V1 0 FDP_UDF_EXT 1 VI Unidirectional Data Flow Video Output MOD_VI_V1 0 FIA Identification and Authentication FIA_UAU 2 User Authentication Bef...

Page 51: ...fied by aspects of the corresponding security function The set of security functions work together to satisfy all of the security functions and assurance requirements Furthermore all of the security functions are necessary in order for the TSF to provide the required security functionality This Section in conjunction with Section 6 the TOE Summary Specification provides evidence that the security ...

Page 52: ...XT 3 VI H X FDP_PDC_EXT 3 VI D X FDP_PUD_EXT 1 X FDP_RIP 1 KM X FDP_RIP_EXT 1 X FDP_RIP_EXT 2 X FDP_SPR_EXT 1 DP DP X FDP_SPR_EXT 1 DVI I D X FDP_SPR_EXT 1 HDMI H X FDP_SWI_EXT 1 X FDP_SWI_EXT 2 X FDP_UDF_EXT 1 AO X FDP_UDF_EXT 1 KM X FDP_UDF_EXT 1 VI X FIA_UAU 2 X FIA_UID 2 X FMT_SMF 1 X FMT_SMR 1 X FPT_FLS_EXT 1 X FPT_NTA_EXT 1 X FPT_PHP 1 X FPT_PHP 3 X FPT_STM 1 X FPT_TST 1 X FPT_TST_EXT 1 X FT...

Page 53: ...data 2 Host Controller Device Emulators ATEN SICG8022A Embedded RAM 1 Undisclosed Volatile May contain user data 3 System EEPROM ATMEL AT24C512 EEPROM 2 512K bits Non volatile No user data 4 System Flash EON EN29LV040A Flash 3 512K Bytes Non volatile No user data 5 EDID Emulator ROHM BR24G02 3 EEPROM 4 256 Bytes Non volatile No user data 6 DP Video Controller Flash MXIC MX25L4006E Flash 5 4 Mbits ...

Page 54: ...ctory Default KVM reset reboot or power cycle 3 The Flash does not contain user data Firmware code is stored in the Flash and cannot be updated or rewritten The firmware code remains unchanged after a Reset to Factory Default KVM reset reboot or power cycle 4 The EDID ROM does not contain user data It is for PC Read EDID ROM The EDID data will be cleared after a KVM reset reboot or power cycle 5 D...