Information Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-245782	IA-10.02.02	SV-245782r865849_rule		Medium

Description
The back plate of some 4 or 8 port CYBEX/AVOCENT KVM devices provides a physical connection between adjacent ports. Therefore failure to provide for physical port separation between SIPRNet (classified devices) and NIPRNet (unclassified devices) when using CYBEX/AVOCENT KVM devices can result in the loss or compromise of classified information. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-3 and SC-4 DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide NIAP Products Compliance List (PCL): https://www.niap-ccevs.org/index.cfm

Description

The back plate of some 4 or 8 port CYBEX/AVOCENT KVM devices provides a physical connection between adjacent ports. Therefore failure to provide for physical port separation between SIPRNet (classified devices) and NIPRNet (unclassified devices) when using CYBEX/AVOCENT KVM devices can result in the loss or compromise of classified information. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-3 and SC-4 DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide NIAP Products Compliance List (PCL): https://www.niap-ccevs.org/index.cfm

STIG	Date
Traditional Security Checklist	2022-09-22

Details

Check Text ( C-49213r865847_chk )
Validate the correct configuration of CYBEX/Avocent 4 or 8 port KVMs IAW NIAP/APL guidance. This includes physical port separation between SIPRNet and NIPRNet (high & low) connections. Because of the internal physical configuration of the CYBEX boxes, only like classification levels may be connected to adjacent ports. TACTICAL ENVIRONMENT: The check is applicable where KVM devices are in use.

Fix Text (F-49168r865848_fix)
1. Validate the correct configuration of CYBEX/Avocent 4 or 8 port KVMs used for switching devices between the SIPRNet and NIPRNet (or any switching between SIPRNet and any other unclassified network devices) must be correctly configured IAW NIAP/APL guidance. 2. Correct configuration must include physical port separation between SIPRNet and NIPRNet (high & low) (or any switching between SIPRNet and any other unclassified network devices) connections. 3. Because of the internal physical configuration of the CYBEX/Avocent box backplates, only like classification levels may be connected to adjacent ports.

Fix Text (F-49168r865848_fix)

1. Validate the correct configuration of CYBEX/Avocent 4 or 8 port KVMs used for switching devices between the SIPRNet and NIPRNet (or any switching between SIPRNet and any other unclassified network devices) must be correctly configured IAW NIAP/APL guidance.

2. Correct configuration must include physical port separation between SIPRNet and NIPRNet (high & low) (or any switching between SIPRNet and any other unclassified network devices) connections.

3. Because of the internal physical configuration of the CYBEX/Avocent box backplates, only like classification levels may be connected to adjacent ports.