Belkin USB KVM

Belkin OmniView Secure DVIDual-Link KVM SwitchModels: F1DN102D, F1DN104DSecurity TargetEAL 4 augmented ALC FLR.3Release Date:January 29, 2009Document ID:07-1602-R-0109Version:1.1Prepared By:InfoGard Laboratories, Inc.Prepared For:Belkin Corporation501 West Walnut StreetCompton, CA 90220

Belkin OmniView Secure DVI Dual-Link KVM Security TargetTable of ContentsDOCUMENT HISTORY . 41INTRODUCTION . 51.1IDENTIFICATION . 51.2OVERVIEW . 51.3DOCUMENT ORGANIZATION . 71.4DOCUMENT CONVENTIONS . 81.5DOCUMENT TERMINOLOGY . 81.5.1ST Specific Terminology . 81.5.2Acronyms . 91.6COMMON CRITERIA PRODUCT TYPE . 101.7TOE ARCHITECTURE OVERVIEW . 101.8ARCHITECTURE DESCRIPTION . 101.8.1Front Panel Subsystem . 111.8.2Control Subsystem . 111.8.3Switch Subsystem . 111.9PHYSICAL BOUNDARIES . 121.9.1Hardware Components . 131.9.2Software Components . 141.9.3Guidance Documents . 141.10LOGICAL BOUNDARIES . 141.10.1Data Separation . 151.10.2Switch Management . 151.11ITEMS EXCLUDED FROM THE TOE . 152CONFORMANCE CLAIMS . 162.12.23SECURITY PROBLEM DEFINITION . 173.13.23.34SECURE USAGE ASSUMPTIONS . 17THREATS . 17ORGANIZATIONAL SECURITY POLICIES . 18SECURITY OBJECTIVES . 194.14.24.34.44.54.65CONFORMANCE CLAIMS: COMMON CRITERIA . 16PROTECTION PROFILE REFERENCE . 16SECURITY OBJECTIVES FOR THE TOE. 19SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT . 20MAPPING OF SECURITY ENVIRONMENT TO SECURITY OBJECTIVES . 21SECURITY OBJECTIVES RATIONALE . 22SECURITY OBJECTIVES RATIONALE FOR THE OPERATIONAL ENVIRONMENT . 24RATIONALE FOR ORGANIZATIONAL POLICY COVERAGE . 24EXTENDED COMPONENTS DEFINITION . 255.1TOE EXTENDED FUNCTIONAL REQUIREMENTS . 255.2EXTENDED REQUIREMENTS (EXT). 255.2.1EXT VIR.1 Visual indication rule . 255.3RATIONALE FOR EXPLICITLY STATED SECURITY REQUIREMENTS . 25 2007, 2008 Belkin 2

Belkin OmniView Secure DVI Dual-Link KVM Security Target6SECURITY REQUIREMENTS . OE SECURITY FUNCTIONAL REQUIREMENTS . 27User Data Protection (FDP) . 27Security Management (FMT) . 28Protection of the TSF (FPT) . 29RATIONALE FOR TOE SECURITY REQUIREMENTS . 30TOE Security Functional Requirements Tracing & Rationale . 30RATIONALE FOR IT SECURITY REQUIREMENT DEPENDENCIES . 32DEPENDENCIES NOT MET. 33SECURITY ASSURANCE MEASURES . 33RATIONALE FOR SECURITY ASSURANCE . 35TOE Security Assurance Requirements selection criteria . 35RATIONALE FOR TOE SECURITY FUNCTIONS . 35TOE SUMMARY SPECIFICATION . 377.1TOE SECURITY FUNCTIONS . 377.1.1Data Separation . 377.1.2Switch Management . 38List of TablesTable 1: Hardware Components . 13Table 2: Software Components . 14Table 3: TOE Security Objectives . 20Table 4: Operational Environment Security Objectives . 20Table 5: Threats & IT Security Objectives Mappings . 22Table 6: Extended SFR Components . 25Table 7: Explicitly Stated SFR Rationale . 26Table 8: Functional Requirements . 27Table 9: SFR and Security Objectives Mapping. 30Table 10: SFR Dependencies . 33Table 12: Security Assurance Measures . 34Table 14: TOE Security Function to SFR Mapping . 36 2007, 2008 Belkin 3

Belkin OmniView Secure DVI Dual-Link KVM Security TargetList of FiguresFigure 1: TOE Architecture Overview . 10Figure 2: Belkin OmniView Secure DVI KVM internal architecture . 11Figure 3: TOE Physical Boundaries . 12Document HistoryDocument DateVersionAuthorComments1.1Mike McAlisterUpdated based on FVOR verdicts01/29/09 2007, 2008 Belkin 4

Belkin OmniView Secure DVI Dual-Link KVM Security Target1 IntroductionThis section identifies the Security Target (ST), Target of Evaluation (TOE), conformanceclaims, ST organization, document conventions, and terminology. It also includes an overviewof the evaluated product.1.1 IdentificationTOE Identification:Belkin OmniView Secure DVI Dual-Link 2-port KVM SwitchPart Number F1DN102D or Belkin OmniView Secure DVI Dual-Link 4-port KVM SwitchPart Number F1DN104DST Identification:Belkin OmniView Secure DVI Dual-Link KVM Switch Models:F1DN102D, F1DN104D Security TargetST Version:1.1ST Publish Date:January 29, 2009ST Author:M McAlister, InfoGardPP Identification:Validated Protection Profile - Peripheral Sharing Switch for HumanInterface Devices Protection Profile, Version 1.2, 21 August 20081.2 OverviewThe TOE is a Belkin OmniView Secure DVI Dual-Link KVM Switch available in 2 or 4port versions. The Switch allows the sharing of a single keyboard, audio devices (ie: speakers,microphone), video monitor and mouse pointing device among host computers. These devicescomprise the shared Peripheral Port Group. These peripherals may be switched betweenconnected computers solely upon activation of a manual switch on the front of the unit. Thedesign of the unit precludes the connection of peripherals to more than 1 host computer at onceand does not allow host computers to communicate with each other through the unit. In addition, 2007, 2008 Belkin 5

Belkin OmniView Secure DVI Dual-Link KVM Security Targetthe TOE does not store user data in any form and ensures that no data transfers from onecomputer to an adjacent computer during the switching process, including computer state data.The dedicated manual switches on the front panel include LED “switched state” indicators foreach channel and assure that the current channel selection is unambiguously indicated to theuser. The TOE during initialization polls the connected peripherals for “plug and play” settingsand stores this data internal to the KVM switch, to assure the host computer can quickly accessthe needed configuration data when connected. In addition, an on-board keyboard/mouseemulator assures that connected host computers boot uninterrupted regardless of active switchedstatus.The TOE consists of both hardware and firmware in a single component assembly. Thefirmware contained in the device is non-volatile and cannot be modified to assure secureoperation and is identical for 2 or 4 port versions of the TOE.This Security Target and the TOE conforms to the Peripheral Sharing Switch (PSS) for HumanInterface Devices Protection Profile Version 1.2, 21 August 2008. The TOE supports thefollowing Security Function Policy to assure data is effectively isolated through the device:Data Separation Security Function Policy (SFP):The TOE shall allow PERIPHERAL DATA and STATE INFORMATION to betransferred only between switched PERIPHERAL PORT GROUPS with the same ID. 2007, 2008 Belkin 6

Belkin OmniView Secure DVI Dual-Link KVM Security Target1.3 Document OrganizationSecurity Target Introduction (Section 1)Provides identification of the TOE and ST, an overview of the TOE, an overview of thecontent of the ST, document conventions, and relevant terminology. The introduction alsoprovides a description of the TOE security functions as well as the physical and logicalboundaries for the TOE, the hardware and software that make up the TOE, and thephysical and logical boundaries of the TOE.Conformance Claims (Section 2)Provides applicable Common Criteria (CC) conformance claims, Product Profile (PP)conformance claims and Assurance Package conformance claims.Security Problem Definition (Section 3)Describes the threats, organizational security policies, and assumptions pertaining to theTOE and the TOE environment.Security Objectives (Section 4)Identifies the security objectives for the TOE and its supporting environment as well as arationale that objectives are sufficient to counter the threats identified for the TOE.Extended Components Definition (Section 5)Presents components needed for the ST but not present in Part II or Part III of the CommonCriteria Standard.Security Requirements (Section 6)Presents the Security Functional Requirements (SFRs) met by the TOE and the securityfunctional requirements rationale. In addition this section presents Security AssuranceRequirements (SARs) met by the TOE as well as the assurance requirements rationale.Provides pointers to all other rationale sections, to include the rationale for the selection ofIT security objectives, requirements, and the TOE summary specifications as to theirconsistency, completeness, and suitabilitySummary Specification (Section 7)Describes the security functions provided by the TOE that satisfy the security functionalrequirements, provides the rationale for the security functions. It also describes thesecurity assurance measures for the TOE as well as the rationales for the assurancemeasures. 2007, 2008 Belkin 7

Belkin OmniView Secure DVI Dual-Link KVM Security Target1.4 Document ConventionsThe CC defines four operations on security functional requirements. The conventions belowdefine the conventions used in this ST to identify these operations. When NIAP interpretationsare included in requirements, the additions from the interpretations are displayed as refinements.Assignment:indicated with bold textSelection:indicated with underlined textRefinement:additions indicated with bold text and italicsdeletions indicated with strike-through bold text and italicsIteration:indicated with typical CC requirement naming followed by a lower case letterfor each iteration (e.g., FMT MSA.1a)Extended:indicated as per the applicable PP (e.g. EXT VIR.1)The explicitly stated requirements claimed in this ST are denoted by the “EXT” extension in theunique short name for the explicit security requirement.1.5 Document TerminologyPlease refer to CC Part 1 Section 4 for definitions of commonly used CC terms.1.5.1ST Specific TerminologyKeep-Alive FeatureThis feature of the Belkin Secure DVI KVM switch stores datawithin the hubs in the device to provide keyboard/mouse emulationto the connected computers to assure boot up processes are notinterrupted if a computer is not switched to the shared peripheralport group.KVM SwitchKeyboard, Video, Mouse - A KVM (keyboard, video, mouse)switch allows a single keyboard, video monitor and mouse to beswitched to any of a number of computers when typically a singleperson interacts with all the computers but only one at a time.Peripheral DataRefers to data entered via a member of the shared peripheral portgroup i.e.: data entered by the mouse or keyboard and displayedthrough the monitor.Shared Peripheral port group A collection of device ports for peripherals shared among HostComputers via the TOE and treated as a single entity by the TOE. 2007, 2008 Belkin 8

Belkin OmniView Secure DVI Dual-Link KVM Security TargetPlug and PlayA standardized interface for the automatic recognition andinstallation of interface cards and devices on a PC.Switched ComputersRefers to the computers connected to the TOE and connected tothe shared Peripheral port group upon the switching function of theTOE. aka Switched Peripheral Port GroupState InformationThe current or last known status or condition, of a process,transaction, or setting. “Maintaining state” means keeping track ofsuch data over time.UserThe human operator of the SEISSOITKVMLCDLEDMACPPPSSSFPSTTOETSCTSFTSPVDT 2007, 2008 Belkin Common Criteria Implementation BoardCommon Criteria Interpretations Management BoardConfiguration ManagementDigital Video InterfaceEvaluation Assurance LevelElectrically Erasable Programmable Read-Only MemoryFederal Communications CommissionIdentificationInternational Standards OrganizationInformation Systems Security Engineer[ing]Information Systems Security OrganizationInformation TechnologyKeyboard-Video-MouseLiquid Crystal DisplayLight-Emitting DiodeMandatory Access ControlProtection ProfilePeripheral Sharing SwitchSecurity Function PolicySecurity TargetTarget of EvaluationTSF Scope of ControlTOE Security FunctionsTOE Security PolicyVideo Display Terminal9

Belkin OmniView Secure DVI Dual-Link KVM Security Target1.6 Common Criteria Product typeThe TOE is a KVM switch device classified as a “Peripheral Sharing Switch” for CommonCriteria. The TOE includes both hardware and firmware components.1.7 TOE Architecture OverviewFigure 1: TOE Architecture Overview1.8 Architecture DescriptionThe TOE is made up of hardware components and a firmware component integrated into a singleelectronic component chassis. 2007, 2008 Belkin 10