KVM-over-IP or classical KVM: what’s the better solution for my application?
IP-based KVM systems have been gaining in importance for years. Many control room applications also benefit greatly from the use of IP. Using existing cabling, switches and routers not only saves costs, but also provides operators and administrators with flexibility and ease of use. In Part One of these articles we learned that the most important difference between classical KVM and KVM-over-IP is the type of connection and transmission technology. In contrast to classical KVM, which uses dedicated cabling, KVM-over-IP is IP-based and transmitted via Gigabit Ethernet networks (OSI layer model layer 3). Being able to use standard network components makes employing KVM-over-IP particularly interesting because existing IT installations can be scaled more easily, flexibly and cost-effectively. Existing structures can also be used depending on the demands of the application.
KVM-over-IP – An Overview
IP networks are becoming increasingly powerful. Broadcast centres designing their network infrastructure for 10Gbit, 40Gbit or even 100Gbit bandwidth are no longer an exception. This means that there is usually sufficient bandwidth to easily scale IT installations and implement them over IP. Broadcast producers and system administrators are familiar with IP and many of them already use IP structures for various applications from ingest to playout. Therefore, KVM-over-IP is a logical next step in the development of IT-supported structures in broadcasting.
As a pioneer in the KVM industry, G&D has solutions for both classical KVM and KVM-over-IP. The company offers KVM-over-IP extender systems for DP1.1, DP1.2, DVI and DL-DVI video signals. Due to predefined IP addresses, plug & play is supported for both console and computer modules. By using existing network infrastructures in a 1:1 connection, it couldn’t be easier to put the modules into operation. With the help of a control unit, the ControlCenter-IP, the extenders can be operated in matrix mode. With this powerful matrix system, signals can be distributed and shared as desired within the LAN infrastructure. Now users at every connected console can be provided with access to every remote computer.
While the routing of KVM-over-IP data packets is handled via standard network switches and routers, the ControlCenter-IP takes over the logic in the network. This also includes the basic administration including extensive user and rights management.
Transmission takes place compressed and IP-based with a data transmission rate of up to 1 Gbit/s per line via Gigabit Ethernet networks. For existing infrastructures with smaller bandwidths, several KVM devices can be bundled, depending on the application requirements. Here, the bandwidth per route can be reduced to approx. 300 to 500 Mbit. So even a network with limited uplinks based on 1 GBit can be sufficient to operate small KVM installations over IP.
Another advantage of IP-supported structures are duplex-capable IP networks. Here, the cabling can be used in both directions when transmitting KVM packets. This provides further flexibility, so that is possible to save cabling in cross-building installations, for example.
KVM-over-IP At A Glance
- Easy to scale through use of standard network components (COTS)
- Standardized network technology by integrating KVM components into the existing infrastructure
- Powerful technology with high bandwidths
- Upgrade of backbones, e.g. to 40 Gbit/s, possible at any time
- Duplex-capable network in which both directions of cabling can be used for KVM (especially video), which brings flexibility and can possibly save cabling
- IT administrators are familiar with IP technology
- KVM channels/devices can be bundled, bandwidth can be limited
Special Security Requirements For KVM-over-IP
Especially with KVM-over-IP, the issue of security is essential. Access to a network from the outside via the internet or, even easier, from the inside poses a risk. Using the appropriate software or operating systems, it is definitely possible to scan the entire internal network for security holes. Usually, such an attack is targeted at the weakest link in the chain. This can be so-called “man-in-the-middle” attacks, for example, where the entire network traffic is forwarded to a third party. Therefore, separating and segmenting networks is an important tool to protect the actual application from cyber-attacks.
In KVM-over-IP systems, keyboard and mouse data as well as audio and video data must also be encrypted to prevent unauthorised users from tapping data transmissions and thus gaining access to internal information.
Especially for system-critical applications, the use of VPN, VLANs and secure encryption is necessary to avoid unauthorised access. Even more critical than the reading of broadcast content is the sniffing of input data, especially keystrokes (e.g. usernames and passwords). Here, secure encryption and regularly exchanging the security key at the shortest possible intervals so that it cannot be read out over time are absolutely essential.
How G&D Handles This
For KVM-over-IP systems, the system uses two different ports to transmit highly critical data in an IP network. In each case, transmission takes place via a VPN tunnel connecting each end device (IP-CPU/IP-CON) to the ControlCenter-IP.
The first port that is established from all KVM end devices to the KVM matrix ControlCenter-IP (CC-IP) is the “control port”. Using a self-developed authentication plug-in, it negotiates the communication of the end devices with the ControlCenter-IP. This port is also used to exchange the respective security keys the ControlCenter-IP generates for each end device.
The second port is called “communication port”. With KVM-over-IP from G&D, a separate port is used to transmit keyboard and mouse data from a CPU (computer connection module) via the ControlCenter-IP to the CON (console connection module). Of course, this process also takes place backwards with keyboard/mouse inputs at the operator’s end.
This solution separates keyboard and mouse data from the actual video data to counteract “man-in-the-middle” attacks. If the target IP address or the VPN tunnel is compromised, the KVM end devices as well as the matrix system switch to security mode and stop data transmission. Video data is transmitted from the computer module to the console module via UDP and MultiCast/UniCast.
The AES-128-bit encryption (AES = Advanced Encryption Standard) incorporated into our systems has a key length of 128 bits, i.e. there are 2 128 (= 340,282,366,920,938,463,374,607,431,768,211,456) different keys. Trying out all the different keys with a supercomputer would take 1.02*1018 years (as of 2021). The security keys are not static, but are replaced regularly and for every critical action.
Sensitive data such as usernames and passwords are stored permanently encrypted in the database of the ControlCenter-IP matrix system. This database is not only implemented in G&D’s operating system, but is also TPM protected and based on a hardware raid. Possible firmware modifications can be detected at an early stage, leading to an interruption of the boot process. This prevents any attempts at manipulation, such as smuggling in a keyboard sniffer.
In order to make KVM-over-IP installations even more secure, we recommend the use of UID locking to determine which device pool generally belongs to the installation. This way, it is not possible to add or replace any (KVM) end devices. Optional USB2.0 data connections can also be disabled via intelligent user management at hardware level.
Another important aspect is the security of the device on the user side. KVM end devices do not store any information - therefore it’s not possible to read out a stolen device to obtain cached login data. Keyloggers do not have any chance of working on the keyboard and mouse interfaces of any of our devices.
Supporting Smart Working And Remote Access
KVM-over-IP provides an optimal basis for flexible, distributed switching of computer signals and facilitates the spatial separation between users and servers. Particularly with regard to pandemic aspects, KVM-over-IP allows users to be even further separated from each other by enabling them to work in other premises, while still giving them full access to all the systems they need. Thus, producers can access their remote computers via KVM technology and work in real time and at full performance.
The obvious question now is how team members are able to remotely access a KVM-over-IP system and the underlying computing landscape from home.
Our solution for this issue is called RemoteAccess-GATE. The stand-alone device links the KVM system to the network world, providing remote access to the IT infrastructure connected to the KVM system via LAN, WAN and the Internet. RemoteAccess-GATE supports working remotely from home offices in the most efficient way and also improves collaboration within teams.
Of course, the device meets the highest security requirements. Security features include AES encryption, LDAP, Active Directory and RADIUS directory server integration, user and group privileges, IP access control, login limitations, KVM session encryption, SSL certificates, configurable security banner, monitoring protocol, SNMP/Syslog event logging and notifications as well as secure passwords.
Jochen Bauer, Head of Sales & Marketing at Guntermann & Drunck.
KVM-over-IP offers many opportunities to organise work and workflows in a resource-saving and cost-efficient way. The technology enables flexible, reliable and highly secure infrastructures by creating user-friendly systems that are intuitive to use and easily scalable as needed.
But does this mean that classical KVM systems will become less important? Not at all! Classical KVM has its advantages – it’s still a great choice for many projects, but depending on the application, it may be worth comparing classical KVM systems with KVM-over-IP. It is not possible to generally recommend one or the other system, since each project is based on individual requirements and framework conditions. In addition to parameters, which are decisive based on the given infrastructure or objective, and subjective factors also play a major role.
With many years of project experience, G&D’s KVM experts are happy to assist their customers in planning and implementing their projects.