Sheep dip (computing)
They were originally deployed in response to the problem of boot sector viruses on floppy discs. Subsequently their scope has been expanded to include USB flash drives, portable hard discs, memory cards, CD-ROMs and other removable devices, all of which can potentially carry malware.
Typical sheep dip system
A sheep dip is normally a stand-alone computer, not connected to any network. It has antivirus software in order to scan removable media and to protect the sheep dip computer itself. The system can be made more effective by having more than one antivirus program, because any single antivirus product will not be able to detect all types of virus.
It is very important to secure sheep dip computers as strongly as possible against malware, because their role as a first line of defence means that they are particularly likely to be attacked. Software updates should be applied as soon as they become available. Antivirus signatures should be the most up-to-date that are available, which in practice means that they must be updated at least daily. The operating system should be hardened and locked down as far as possible.
Network connections are avoided for two reasons. Firstly, an Internet connection is a potential attack vector via which the computer could be compromised. Secondly, there is a risk that a worm on a removable device might escape into a local area network if the sheep dip computer is connected to it.
Weaknesses of typical systems
Isolation from networks makes automatic updating impossible, because the sheep dip computer is not able to make contact with the servers from which software updates and antivirus signatures are distributed. It is therefore normal for updates to be applied manually, after they have been downloaded by a separate network-connected computer and copied to a USB flash drive.
When a computer's security and antivirus updates are dependent on manual intervention by human beings, the system's security becomes vulnerable to human error. If pressure of work prevents updates from being applied as soon as they become available, a sheep dip computer will gradually become more and more insecure.
Absence of network connections also makes it difficult for an organisation to monitor the status of sheep dips if it has deployed them to several different locations. The people with central responsibility for IT security must rely on prompt and accurate reports from those who use the sheep dips. Again, there is a risk of human error.
Active sheep dip system
In an active sheep dip the antivirus protection is monitored in real time with another program in order to increase security. Antivirus is only effective if it is up-to-date, properly configured, and running. Active sheep dips add an extra layer of security by checking antivirus and intervening if necessary.
At the very least, an active sheep dip must disable access to removable media if it detects that its own antivirus signatures are not up-to-date. A more advanced system can be allowed limited network access for automatic updates and remote monitoring, but it must only enable its network connection when there is no immediate malware risk. When the network connection is active all removable media access must be disabled.
- SourceForge. "The SheepDip Project".Open source active sheep dip software.
- Webopedia definition of term "sheep dip" Retrieved on 11 April 2013.
- Build Your Own Security Lab: A Field Guide for Network Testing (Page 269) ISBN 978-0470179864
- forensic-computer-services.com Statement of Capability Retrieved on 11 April 2013.
- Certified Ethical Hacker Course Overview (Lesson 9) Retrieved on 11 April 2013.
- EC-Council 312-49 Exam (Specimen question 2) Retrieved on 11 April 2013.
- ICAN Examination: Information Technology (Question 5) Retrieved on 11 April 2013.
- AV-Comparatives independent tests of antivirus sortware
- getsafeonline.org Software Updates Retrieved on 12 April 2013.
- getsafeonline.org Viruses & Spyware Retrieved on 12 April 2013.
- Symantec Corporation Virus Definitions and Security Updates Retrieved on 12 April 2013.
- CPNI Good Practice Guide General Advice on Securing Operating Systems Retrieved on 27 May 2013.