NSA : Peripheral Sharing Switch PP
This PP defines security criteria for a "Peripheral Sharing
Switch" (PSS) or simply "SWITCH" or TOE, which permits a
single set of HUMAN INTERFACE DEVICES to be shared among two or more
COMPUTERS.
The TOE is normally installed in settings where a single USER with limited work
surface space needs to access two or more COMPUTERS, collectively termed SWITCHED COMPUTERS (which need not be physically distinct entities). The USER may have a KEYBOARD, a visual display (e.g., MONITOR), a POINTING DEVICE (e.g., mouse), and/or alternative INPUT/OUTPUT DEVICES to interact with the COMPUTER(S). These are collectively referred to as the SHARED PERIPHERALS.
In operation, the TOE will be CONNECTED to only one COMPUTER at a time. To use a different COMPUTER, the USER must perform some specific action (e.g., push a button, turn a knob, etc.). The TOE will then visually indicate which COMPUTER was selected by the USER. Such indication is persistent and not transitory in nature.
The TOE must not have, and in fact must specifically preclude, any features that permit USER information to be shared or transferred between COMPUTERS via the TOE.
A PERIPHERAL PORT GROUP is a collection of DEVICE PORTS treated as a single entity by the TOE. There is one GROUP for the set of SHARED PERIPHERALS and one GROUP for each CONNECTED SWITCHED COMPUTER. Each SWITCHED COMPUTER GROUP has some unique associated logical ID. The SHARED PERIPHERAL GROUP ID is considered to be the same as that of the SWITCHED COMPUTER GROUP currently selected by the TOE.
Data Separation Security Function Policy (SFP):
The TOE shall allow PERIPHERAL DATA and STATE INFORMATION to be
transferred only between PERIPHERAL PORT GROUPS with the same ID.
The TOE itself is not concerned with the USER'S information flowing between the SHARED PERIPHERALS and the SWITCHED COMPUTERS. It is only providing a
CONNECTION between the HUMAN INTERFACE DEVICES and a selected COMPUTER at any given instant.
SWITCHES of this type may differ significantly from the familiar "A/B" printer or serial port SWITCHES, where no constraints are placed on connections between devices. Some SWITCHES may provide enhanced features such as scanning (where it continually switches between the COMPUTERS until the USER performs an action to halt the switching), or video protocol conversion (e.g., Macintosh, Sun, PC, etc.) information in mixed COMPUTER environments. These enhancements must be examined to insure that information is not shared or transferred between COMPUTERS.