Jump to content

Sheep dip (computing)

Add links
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by NapoliRoma (talk | contribs) at 21:14, 8 April 2019 (Further editing to reflect definition). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

In data security, a sheep dip is the process of using a dedicated computer to test files on removable media for viruses before they are allowed to be used with other computers.[1]

This protocol is a normal first line of defence against viruses in high-security computing environments[2][3] and IT security specialists are expected to be familiar with the concept.[4][5][6]

The process was originally developed in response to the problem of boot sector viruses on floppy discs. Subsequently, its scope has been expanded to include USB flash drives, portable hard discs, memory cards, CD-ROMs and other removable devices, all of which can potentially carry malware.

The name sheep dip is derived from a method of preventing the spread of parasites in a flock of sheep by dipping all of the animals one after another in a trough of pesticide.[1] The term has been in use since at least the early 1990s, though footbath was also used at the time.[7] A sheep dip system can be considered a special case of a sandbox, used to test for malware.


Typical sheep dip system

A sheep dip is normally a stand-alone computer, not connected to any network. It has antivirus software in order to scan removable media and to protect the sheep dip computer itself. The system can be made more effective by having more than one antivirus program, because any single antivirus product will not be able to detect all types of virus.[8]

It is very important to secure sheep dip computers as strongly as possible against malware, because their role as a first line of defence means that they are particularly likely to be attacked. Software updates should be applied as soon as they become available.[9] Antivirus signatures should be the most up-to-date that are available,[10][11] which in practice means that they must be updated at least daily. The operating system should be hardened[12] and locked down as far as possible.

Network connections are avoided for two reasons. Firstly, an Internet connection is a potential attack vector via which the computer could be compromised. Secondly, there is a risk that a worm on a removable device might escape into a local area network if the sheep dip computer is connected to it.

Weaknesses of typical systems

Isolation from networks makes automatic updating impossible, because the sheep dip computer is not able to make contact with the servers from which software updates and antivirus signatures are distributed. It is therefore normal for updates to be applied manually, after they have been downloaded by a separate network-connected computer and copied to a USB flash drive.

When a computer's security and antivirus updates are dependent on manual intervention by human beings, the system's security becomes vulnerable to human error. If pressure of work prevents updates from being applied as soon as they become available, a sheep dip computer will gradually become more and more insecure.

Absence of network connections also makes it difficult for an organisation to monitor the status of sheep dips if it has deployed them to several different locations. The people with central responsibility for IT security must rely on prompt and accurate reports from those who use the sheep dips. Again, there is a risk of human error.

Active sheep dip system

In an active sheep dip[13] the antivirus protection is monitored in real time with another program in order to increase security. Antivirus is only effective if it is up-to-date, properly configured, and running. Active sheep dips add an extra layer of security by checking antivirus and intervening if necessary.

At the very least, an active sheep dip must disable access to removable media if it detects that its own antivirus signatures are not up-to-date. A more advanced system can be allowed limited network access for automatic updates and remote monitoring, but it must only enable its network connection when there is no immediate malware risk. When the network connection is active all removable media access must be disabled.

References

  1. ^ a b Webopedia definition of term "sheep dip" Retrieved on 11 April 2013.
  2. ^ Build Your Own Security Lab: A Field Guide for Network Testing (Page 269) ISBN 978-0470179864
  3. ^ forensic-computer-services.com Statement of Capability Retrieved on 11 April 2013.
  4. ^ Certified Ethical Hacker Course Overview (Lesson 9) Retrieved on 11 April 2013. Archived 5 May 2013 at the Wayback Machine
  5. ^ EC-Council 312-49 Exam (Specimen question 2) Retrieved on 11 April 2013.
  6. ^ ICAN Examination: Information Technology (Question 5) Retrieved on 11 April 2013.
  7. ^ Solomon, Alan; Kay, Tim (1994). Dr Solomon's PC anti-virus book. Retrieved 8 April 2019.
  8. ^ AV-Comparatives independent tests of antivirus sortware
  9. ^ getsafeonline.org Software Updates Retrieved on 12 April 2013.
  10. ^ getsafeonline.org Viruses & Spyware Retrieved on 12 April 2013.
  11. ^ Symantec Corporation Virus Definitions and Security Updates Retrieved on 12 April 2013.
  12. ^ CPNI Good Practice Guide General Advice on Securing Operating Systems Retrieved on 27 May 2013.
  13. ^ http://sheepdip.sourceforge.net/ActiveSheepDip.php
Retrieved from "https://en.wikipedia.org/w/index.php?title=Sheep_dip_(computing)&oldid=891578671"