Secure KVM Isolators

System Diagram

Isolator models addressed in this page:

• FI11D-M - Secure 1-Port DVI-I KVM Isolator
• FI11H-M - Secure 1-Port HDMI KVM Isolator
• FI11PH-M - Secure 1-Port DisplayPort/HDMI KVM Isolator

Accessories:

It is possible to use the Isolators together with the following accessories:

• RK-4U-HKS-10 - RackMount KIT 4U - The RK−4U−HKS−10 enables mounting up to 10 Isolators in a 19" 4U rack space.
• Power Distribution Unit for Isolators - PDUI - Enables connecting multiple Isolators (and other HSL 12V-powered devices) to computers in a rack without additional external power supply outlets.

-------------------------------------------------------------------------------

The secure isolator prevents vulnerable peripherals from mediating between compromised and secure computers by ensuring that video, audio and USB data flows in a single direction.

By preventing host-to-peripheral direct access the secure isolator eliminates data leakage.

The secure isolator is designed to provide the highest possible computer & peripheral isolation as demanded by government agencies, military, financial institutions and similar security sensitive customers.

The isolator perfectly suites scenarios where vulnerable peripherals or computers may impose a security threat. For example, in a secure meeting room, when an unsupervised (non-secure) guest laptop has to be connected to a projector which is shared with a classified computer. By isolating the classified computer from the projector the secure isolator protects the classified computer from being infected by the guest computer compromising any projector’s vulnerability.

To prevent bi-directional communication via the EDID channel, numerous mechanisms were set forth to protect EDID transactions:

• EDID is read from the display only once the user presses the EDID capture button. This is to prevent continuous EDID transformation between the display and the source.
• EDID information is parsed to assure that only legitimate information is passed between the display and the source. The Isolator is used as a buffer to protect transferring malicious through the EDID channel.
• EDID information is limited to the basic essentials. Instead of passing the full EDID and MCCS, HSL’s Isolators limit the EDID to the minimum required, in order to restrict the EDID data passed.

Additionally, by allowing sound to travel only in one direction from the PC to the speaker, the isolator protects against eavesdropping attempts hence prevent intruders from compromising a computer's security and re-tasking the audio line-in (headset/speaker) into a microphone line. The embedded digital audio via HDMI/DP is also protected due to unidirectional video transfer.

How does it work?

• Connect the computer's USB keyboard & mouse and display ports to the Isolator.
• Connect the isolator to the keyboard, mouse, display and audio peripherals.
• Computer and peripherals are fully isolated from each other.
• User can securely use the peripherals.

Running an EDID Capture

Before using the isolator, run a one-time EDID capture. This prevents the continuous transfer of potentially malicious data – from the display to the PC – that could infect the PC, cause data leakage, and so on.

Preparation:

• Connect the PC and all peripherals to the unit, according to the diagram.
• Make sure the PC, display, and unit are ON.

To run an EDID capture:

1. Short-click the EDID LOCK button – for less than one second.
   At first, the EDID LED flickers for a few seconds and then lights continuously. If the EDID LED is OFF, repeat the procedure.
   
   Warning: Long-clicking the EDID LOCK button sends the unit into an undesired loop. If this happens, restart the unit and repeat the procedure.
   
   
2. Restart the unit.

Note: The procedure needs to be performed for new installations and when changing a display.