Secure KVM Isolators
Isolator models addressed in this page:
- FI11D-M – Secure 1-Port DVI-I KVM Isolator
- FI11H-M – Secure 1-Port HDMI KVM Isolator
- FI11PH-M – Secure 1-Port DisplayPort/HDMI KVM Isolator
It is possible to use the Isolators together with the following accessories:
- RK-4U-HKS-10 – RackMount KIT 4U – The RK−4U−HKS−10 enables mounting up to 10 Isolators in a 19″ 4U rack space.
- Power Distribution Unit for Isolators – PDUI – Enables connecting multiple Isolators (and other HSL 12V-powered devices) to computers in a rack without additional external power supply outlets.
The secure isolator prevents vulnerable peripherals from mediating between compromised and secure computers by ensuring that video, audio and USB data flows in a single direction.
By preventing host-to-peripheral direct access the secure isolator eliminates data leakage.
The secure isolator is designed to provide the highest possible computer & peripheral isolation as demanded by government agencies, military, financial institutions and similar security sensitive customers.
The isolator perfectly suites scenarios where vulnerable peripherals or computers may impose a security threat. For example, in a secure meeting room, when an unsupervised (non-secure) guest laptop has to be connected to a projector which is shared with a classified computer. By isolating the classified computer from the projector the secure isolator protects the classified computer from being infected by the guest computer compromising any projector’s vulnerability.
To prevent bi-directional communication via the EDID channel, numerous mechanisms were set forth to protect EDID transactions:
- EDID is read from the display only once the user presses the EDID capture button. This is to prevent continuous EDID transformation between the display and the source.
- EDID information is parsed to assure that only legitimate information is passed between the display and the source. The Isolator is used as a buffer to protect transferring malicious through the EDID channel.
- EDID information is limited to the basic essentials. Instead of passing the full EDID and MCCS, HSL’s Isolators limit the EDID to the minimum required, in order to restrict the EDID data passed.
Additionally, by allowing sound to travel only in one direction from the PC to the speaker, the isolator protects against eavesdropping attempts hence prevent intruders from compromising a computer’s security and re-tasking the audio line-in (headset/speaker) into a microphone line. The embedded digital audio via HDMI/DP is also protected due to unidirectional video transfer.
How does it work?
- Connect the computer’s USB keyboard & mouse and display ports to the Isolator.
- Connect the isolator to the keyboard, mouse, display and audio peripherals.
- Computer and peripherals are fully isolated from each other.
- User can securely use the peripherals.
Running an EDID Capture
Before using the isolator, run a one-time EDID capture. This prevents the continuous transfer of potentially malicious data – from the display to the PC – that could infect the PC, cause data leakage, and so on.
- Connect the PC and all peripherals to the unit, according to the diagram.
- Make sure the PC, display, and unit are ON.
To run an EDID capture:
- Short-click the EDID LOCK button – for less than one second.
At first, the EDID LED flickers for a few seconds and then lights continuously. If the EDID LED is OFF, repeat the procedure.Warning: Long-clicking the EDID LOCK button sends the unit into an undesired loop. If this happens, restart the unit and repeat the procedure.
- Restart the unit.
Note: The procedure needs to be performed for new installations and when changing a display.
- Protect against leakage and malicious attacks through USB, keyboard, mouse, video and audio peripherals.
- Prevent compromised peripherals from infecting computers:
Isolate computers in meeting/control rooms from vulnerable peripherals that are shared between multiple computers.
- Avoid continuous transfer of potentially malicious EDID data from the display to the PC, using the one-time Capture button.
- Help secure matrix environments:
Protect classified computers in matrix-environments from shared-peripheral-threats originating from guest laptops or internet-access computers that connect to the same matrix. Securely join a low-security source to a matrix by connecting it through an isolator which assures that the matrix security is not compromised.
- Work freely without compromising security:
Display and control classified and non-classified computers without compromising security.
- Protect against unauthorized peripheral device threats:
Threats imposed by peripheral devices that should not be connected to a specific peripheral port (e.g., a USB mass storage device mistakenly connected to the keyboard port).
- Protect against authorized but untrusted peripheral device threats:
Threats imposed by legitimate and authorized peripheral devices (such as a standard computer display) that may be vulnerable to malicious attacks and cause data leakage when shared between sources.
- Small form factor: weighing as little as 0.6 lbs. and with a width of 5.8 Inches, it occupies minimum desktop space.
- Low cost: attractively priced and yet not compromising product’s high-quality and security.