Sheep dip (computing) is a dedicated computer which is used to test files on removable media for viruses before they are allowed to be used with other computers.
Contents
Such machines are a normal first line of defence against viruses in high-security computing environments and IT security specialists are expected to be familiar with the concept.
They were originally deployed in response to the problem of boot sector viruses on floppy discs. Subsequently their scope has been expanded to include USB flash drives, portable hard discs, memory cards, CD-ROMs and other removable devices, all of which can potentially carry malware.
The name sheep dip is derived from a method of killing parasites in a flock of sheep by dipping all of the animals one after another in a trough of pesticide.
Typical sheep dip system
A sheep dip is normally a stand-alone computer, not connected to any network. It has antivirus software in order to scan removable media and to protect the sheep dip computer itself. The system can be made more effective by having more than one antivirus program, because any single antivirus product will not be able to detect all types of virus.
It is very important to secure sheep dip computers as strongly as possible against malware, because their role as a first line of defence means that they are particularly likely to be attacked. Software updates should be applied as soon as they become available. Antivirus signatures should be the most up-to-date that are available, which in practice means that they must be updated at least daily. The operating system should be hardened and locked down as far as possible.
Network connections are avoided for two reasons. Firstly, an Internet connection is a potential attack vector via which the computer could be compromised. Secondly, there is a risk that a worm on a removable device might escape into a local area network if the sheep dip computer is connected to it.
Computers running Incident Command System (ICS) Protection Agent will not accept any removable USB media device that has not been scanned and validated by the USB scanner station, thereby blocking all file transfer and application execution from unauthorized devices.
Weaknesses of typical systems
Isolation from networks makes automatic updating impossible, because the sheep dip computer is not able to make contact with the servers from which software updates and antivirus signatures are distributed. It is therefore normal for updates to be applied manually, after they have been downloaded by a separate network-connected computer and copied to a USB flash drive.
When a computer's security and antivirus updates are dependent on manual intervention by human beings, the system's security becomes vulnerable to human error. If pressure of work prevents updates from being applied as soon as they become available, a sheep dip computer will gradually become more and more insecure.
Absence of network connections also makes it difficult for an organisation to monitor the status of sheep dips if it has deployed them to several different locations. The people with central responsibility for IT security must rely on prompt and accurate reports from those who use the sheep dips. Again, there is a risk of human error.
Active sheep dip system
In an active sheep dip the antivirus protection is monitored in real time with another program in order to increase security. Antivirus is only effective if it is up-to-date, properly configured, and running. Active sheep dips add an extra layer of security by checking antivirus and intervening if necessary.
At the very least, an active sheep dip must disable access to removable media if it detects that its own antivirus signatures are not up-to-date. A more advanced system can be allowed limited network access for automatic updates and remote monitoring, but it must only enable its network connection when there is no immediate malware risk. When the network connection is active all removable media access must be disabled.