this post was submitted on 19 Mar 2026
15 points (100.0% liked)
Cybersecurity
9711 readers
12 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
That's not sufficient. If you can access the device, then you can access the remotely managed server. Since it's remotely managed it must be an important server and the KVM can bypass traditional security measures since the KVM gives the same level of access as physical access. If you get through to the server, then isolating the KVM doesn't matter.
What I do is I treat physical access as inherently insecure as if anyone could drop by. Encryption keys still need to be presented and the only screen shown when there's no activity is a login screen. The KVM is treated like any other random access to the server, physical or SSH: You must identify yourself.
You totally misunderstood the comment.
If all the KVM units were on an airgapped system, there is no way to reach those units other than physically sitting down at the C&C workstation that is meant to interface with them and display their output. Because that machine is also on the airgapped network, and is not reachable from the Internet.
It’s no different than a traditional KVM at that point, aside from that C&C machine being anywhere where Ethernet can reach (traditional KVM units being rather distance-constrained).
Now, if you need mobile/off-site access to this system, you put a second NIC into that C&C workstation. First one for the KVM network, the other for world+dog, and then you use a trusted remote-access system to access the C&C workstation, and block it off from anything else on that second Internet-accessible network as best as possible.
I mean, you want secure? Truly secure? Then disassemble all your computers, put each individual part into its own barrel of cement, and then drop each barrel into its own deep-oceanic abyssal trench. THAT is how you get true security.
For everything else, there are reasonable trade-offs that discourage all but nation-state players or people with wrenches.
That just defeats the IP part of the KVM and in that case you'd better stick with a traditional KVM.
Your setup depends entirely on your threat model. In my case in a normal state everything on the network is locked. The KVM is never used for normal ops, only rebooting and entering a disk encryption key in case I'm remote and have a failure. The KVM can only be accessed through a VPN. That limits my threat exposure to be well below my threat model. If I was Edward Snowden this might not be enough, but last I checked I'm not hunted by any state actor, rogue or not, so making sure the KVM is not accessible from the internet is enough.
Video cables and USB cables were never designed for a 20m run. Most have difficulties beyond a 2-5m distance.
My servers will be in my basement, at the other end of the house. My C&C machine will be in my office. The entire purpose of remote KVM is such that I don’t have to hoof it all the way down into the basement just to do something quick. Or go back-and-forth if there is something in my office I have to reference while doing the work.
In fact, I suspect that network KVM is exceedingly useful for anyone whose machines are more than five steps away. Even across the room makes a hell of a lot of sense.
...while Lazyness surely is an added bonus,you still do not understand the purpose of IP KVM/BMC for anyone beyond a lazy homenet enthusiast (which is fair enough,but don't critisise people for stuff then).
BMC/KVM is must when it comes to professional deployments - for even a small DC or most professional settings anything else is unfeasible. And sadly in these settings at some point you will need some point of internet access (Which in most cased a VPN will do fine unless you are customer facing). And no, your solution via jump host is not a good idea - it simply adds a single point of failure that caused a false sense of security (great now you have only one device you need to get into and behind that it's open field). Besides it's highly unfeasible for a multiuser enviroment.
Proper Zero Trust, proper firewalling/IDS/IDM proper network segmenation AND proper device security are key.
Tbh, I am not surprised Gl.i was hit so hard here - they chucked out a LOT of new KVM devices recently that it was somewhat likely they had issues - which is a shame because some of their devices have some unique selling points. Meanwhile I am more surprised that nanoKVM came back with only one issue - their traffic patterns are a major headache still.