How to setup secure developement environment with Internet access?

We have dev, test, QA, and prod environment for our n tier web based
application developement.
Now our network and security told me that developement environment
should not have internet access due to security. But as developer, we
must have internet access to go to MSDN or the other site while we are
coding. Do you have any experience on this situation? Could you tell
me if the developement environment really should not have internet
access? Or how should have very good security with my dev and it also
have internet access?


thanks in advanced,
Dana

Roger
Tue Feb 08 01:18:31 CST 2005

I can understand where, if the codes being developed are considered
proprietary and a primary business asset, there would be those in
management that would want to block all ability to transfer source
out or accidentally permit unwanteds in.

It is always possible to allow only specific websites from the
subnets that are development - if there is a will on the part of those
restricting the access (and their $s will to provision so it can be).

Do they understand the productivity aspects of removing all
internet access? I do know MSDN library can be mounted
on network drive, but that is not the same by any means as
access to msdn.microsoft.com

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dana" <dyw55a@yahoo.com> wrote in message
news:1107833278.547538.172040@l41g2000cwc.googlegroups.com...
> We have dev, test, QA, and prod environment for our n tier web based
> application developement.
> Now our network and security told me that developement environment
> should not have internet access due to security. But as developer, we
> must have internet access to go to MSDN or the other site while we are
> coding. Do you have any experience on this situation? Could you tell
> me if the developement environment really should not have internet
> access? Or how should have very good security with my dev and it also
> have internet access?
>
>
> thanks in advanced,
> Dana
>

Alexander
Tue Feb 08 11:38:57 CST 2005

IMHO complete disable of Internet access is overkill. But you should to take
precautions against threats as viruses, trojans, malicious software and
possible intrusions. You can build safe environment with Internet access,
but it has cost. Vital network resources (internal prodcutions servers) must
be protected by firewall. So this subject presume a long discussion ;)

Best regards,
Alex.

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:OL2Ey3aDFHA.2220@TK2MSFTNGP09.phx.gbl...
>I can understand where, if the codes being developed are considered
> proprietary and a primary business asset, there would be those in
> management that would want to block all ability to transfer source
> out or accidentally permit unwanteds in.
>
> It is always possible to allow only specific websites from the
> subnets that are development - if there is a will on the part of those
> restricting the access (and their $s will to provision so it can be).
>
> Do they understand the productivity aspects of removing all
> internet access? I do know MSDN library can be mounted
> on network drive, but that is not the same by any means as
> access to msdn.microsoft.com
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Dana" <dyw55a@yahoo.com> wrote in message
> news:1107833278.547538.172040@l41g2000cwc.googlegroups.com...
>> We have dev, test, QA, and prod environment for our n tier web based
>> application developement.
>> Now our network and security told me that developement environment
>> should not have internet access due to security. But as developer, we
>> must have internet access to go to MSDN or the other site while we are
>> coding. Do you have any experience on this situation? Could you tell
>> me if the developement environment really should not have internet
>> access? Or how should have very good security with my dev and it also
>> have internet access?
>>
>>
>> thanks in advanced,
>> Dana
>>
>
>

Dana
Tue Feb 08 13:07:36 CST 2005

Alex,
Thank you very much for your reply. Our developement did exist
after the firewall but I am not really sure how to really solve this
secure issue. I understand that there might more potentail threat with
Internet access. Do you have any good reference site or artical which
discuss about this subject? Could you tell me what the best solution
is for dev with internet access?

thanks again,
Dana

Dana
Tue Feb 08 13:39:44 CST 2005

Roger,
Thank you for your reply also. You are very correct and I really
worry about the productivity problem. Personally, I actually never see
any dev environment with no internet access. But do you know how the
people handle this in general?


thanks a lot,
Dana

Alexander
Tue Feb 08 16:04:00 CST 2005

Well, not sure that I can point to an article where all issues are covered.
There are a lot of information about networking security in Internet. For
example one article about multilayer firewall protection:
http://insight.zdnet.co.uk/communications/networks/0,39020427,2130533,00.htm
and another about protection of corporate database against compromizing via
corporate Web server:
http://www.governmentsecurity.org/articles/MakingYourNetworkSafeforDatabases.php

It is only example. Actually advise for you should depend on more specific
knowledge of your needs. For example you have very simple network: Internet
router, firewall, several development stations. In this case your network
should use NAT, and it does not expose any services outside of network. In
this case your development workstation are protected from direct attacks
outside. Of couse you firewall will be attacked. The next step - protect
your workstation against viruses, worms. Probably your email server should
have anti-virus plug-in. In this case risk of receiving of viruses/worms
will be significantly reduced. Another option - install anti-virus software
on each workstation and update anti-virus databases regularly. The next
step - filtering of access to Web content. Some sites may contain malicious
scripts and even trojans. Another important part of overall process -
training of personal, because each employee should know about possible risks
and how security may be compromised via their improper actions.

It is very complex process. You should plan, deploy secruity architecture
and train employees. If you have no time, resources and simply desire to do
it, then your security is right - you should switch off Internet access. ;)

I can offer basic possible actions: place development network behind own
firewall inside corporate network, make Web access only via corporate proxy
(for audit), restrict email (POP3/SMTP) access - make only internal email
server accessible, close all other ports, use anti-virus software with
regular update, apply OS patches regularly.

Best regards,
Alex.

"Dana" <dyw55a@yahoo.com> wrote in message
news:1107889656.857859.21620@f14g2000cwb.googlegroups.com...
> Alex,
> Thank you very much for your reply. Our developement did exist
> after the firewall but I am not really sure how to really solve this
> secure issue. I understand that there might more potentail threat with
> Internet access. Do you have any good reference site or artical which
> discuss about this subject? Could you tell me what the best solution
> is for dev with internet access?
>
> thanks again,
> Dana
>

Roger
Wed Feb 09 01:10:12 CST 2005

One way would be to force their machines to be proxy clients,
so that all internet access must go through the proxy, such as ISA
Server. There it would be possible to have an allowed destination
list, i.e. msdn.microsoft.com on port tcp 80, and perhaps others.
As was said, it is a matter of those wanting the protection/restriction
to decide between the cost of lost productivity (including skillset
evoluton) vs the cost of facilitating their controlled access to dev
resources.

--
Roger
"Dana" <dyw55a@yahoo.com> wrote in message
news:1107891584.850311.317260@o13g2000cwo.googlegroups.com...
> Roger,
> Thank you for your reply also. You are very correct and I really
> worry about the productivity problem. Personally, I actually never see
> any dev environment with no internet access. But do you know how the
> people handle this in general?
>
>
> thanks a lot,
> Dana
>

Dana
Wed Feb 09 20:01:34 CST 2005

Thanks for all your reply. Now you remind me that actually a lot of
company do force their machine to be proxy clients. Could you tell me
how large this allowed destination list could be? Or could you just
setup up the sites that we do not allow to access?
The other problem is that those wanting the protection/restriction only
want to control the access to have better security and might not think
about productivity thing. As developer, we might want to give them
some suggestion and work with them in order to keep internet access in
the developement environment.

Again,
thanks,
Dana

Roger Abell wrote:
> One way would be to force their machines to be proxy clients,
> so that all internet access must go through the proxy, such as ISA
> Server. There it would be possible to have an allowed destination
> list, i.e. msdn.microsoft.com on port tcp 80, and perhaps others.
> As was said, it is a matter of those wanting the
protection/restriction
> to decide between the cost of lost productivity (including skillset
> evoluton) vs the cost of facilitating their controlled access to dev
> resources.
>
> --
> Roger
> "Dana" <dyw55a@yahoo.com> wrote in message
> news:1107891584.850311.317260@o13g2000cwo.googlegroups.com...
> > Roger,
> > Thank you for your reply also. You are very correct and I
really
> > worry about the productivity problem. Personally, I actually never
see
> > any dev environment with no internet access. But do you know how
the
> > people handle this in general?
> >
> >
> > thanks a lot,
> > Dana
> >

Alexander
Thu Feb 10 09:56:48 CST 2005

Dana,

security is always compromise. The best security is when you place something
valueable into armour-plated safe and destroy the keys. But it is useless ;)
You should work with your security personnel to produce the best scheme for
your needs.

Proxy server is ideal for auditing what web resources were visitied. It
simplifies content check.

Best regards,
Alex.

"Dana" <dyw55a@yahoo.com> wrote in message
news:1108000894.323515.60230@l41g2000cwc.googlegroups.com...
> Thanks for all your reply. Now you remind me that actually a lot of
> company do force their machine to be proxy clients. Could you tell me
> how large this allowed destination list could be? Or could you just
> setup up the sites that we do not allow to access?
> The other problem is that those wanting the protection/restriction only
> want to control the access to have better security and might not think
> about productivity thing. As developer, we might want to give them
> some suggestion and work with them in order to keep internet access in
> the developement environment.
>
> Again,
> thanks,
> Dana
>
> Roger Abell wrote:
>> One way would be to force their machines to be proxy clients,
>> so that all internet access must go through the proxy, such as ISA
>> Server. There it would be possible to have an allowed destination
>> list, i.e. msdn.microsoft.com on port tcp 80, and perhaps others.
>> As was said, it is a matter of those wanting the
> protection/restriction
>> to decide between the cost of lost productivity (including skillset
>> evoluton) vs the cost of facilitating their controlled access to dev
>> resources.
>>
>> --
>> Roger
>> "Dana" <dyw55a@yahoo.com> wrote in message
>> news:1107891584.850311.317260@o13g2000cwo.googlegroups.com...
>> > Roger,
>> > Thank you for your reply also. You are very correct and I
> really
>> > worry about the productivity problem. Personally, I actually never
> see
>> > any dev environment with no internet access. But do you know how
> the
>> > people handle this in general?
>> >
>> >
>> > thanks a lot,
>> > Dana
>> >
>

hal
Thu Feb 10 13:10:38 CST 2005

On 9 Feb 2005 18:01:34 -0800, "Dana" <dyw55a@yahoo.com> wrote:

>Thanks for all your reply. Now you remind me that actually a lot of
>company do force their machine to be proxy clients. Could you tell me
>how large this allowed destination list could be? Or could you just
>setup up the sites that we do not allow to access?
>The other problem is that those wanting the protection/restriction only
>want to control the access to have better security and might not think
>about productivity thing. As developer, we might want to give them
>some suggestion and work with them in order to keep internet access in
>the developement environment.

You don't need to use a proxy server to do this. All firewalls
(AFAIK) have rules lists based on source, destination, and protocol.
Create a network group object in your firewall that includes all your
dev group. Create a rule in your FW allowing this group to access
msdn and nothing else. Problem solved. Management is happy, dev can
get to msdn. If they need other sites for support access, they can
write a justification to management, and with their permission, you
can add any numbers of sites to your permitted access list. This way
everyone gets what they want, you you get your butt covered.

Hal

>
>Again,
>thanks,
>Dana
>
>Roger Abell wrote:
>> One way would be to force their machines to be proxy clients,
>> so that all internet access must go through the proxy, such as ISA
>> Server. There it would be possible to have an allowed destination
>> list, i.e. msdn.microsoft.com on port tcp 80, and perhaps others.
>> As was said, it is a matter of those wanting the
>protection/restriction
>> to decide between the cost of lost productivity (including skillset
>> evoluton) vs the cost of facilitating their controlled access to dev
>> resources.
>>
>> --
>> Roger
>> "Dana" <dyw55a@yahoo.com> wrote in message
>> news:1107891584.850311.317260@o13g2000cwo.googlegroups.com...
>> > Roger,
>> > Thank you for your reply also. You are very correct and I
>really
>> > worry about the productivity problem. Personally, I actually never
>see
>> > any dev environment with no internet access. But do you know how
>the
>> > people handle this in general?
>> >
>> >
>> > thanks a lot,
>> > Dana
>> >

Alexander
Thu Feb 10 13:49:29 CST 2005

Most firewalls use IP addresses in rules, isn't it? IMHO proxy is better for
audit of Web traffic.

Best regards,
Alex.

<hal@nospam.com> wrote in message
news:d8cn01175v38rlf6svipiahgksd4qqdnol@4ax.com...
> On 9 Feb 2005 18:01:34 -0800, "Dana" <dyw55a@yahoo.com> wrote:
>
>>Thanks for all your reply. Now you remind me that actually a lot of
>>company do force their machine to be proxy clients. Could you tell me
>>how large this allowed destination list could be? Or could you just
>>setup up the sites that we do not allow to access?
>>The other problem is that those wanting the protection/restriction only
>>want to control the access to have better security and might not think
>>about productivity thing. As developer, we might want to give them
>>some suggestion and work with them in order to keep internet access in
>>the developement environment.
>
> You don't need to use a proxy server to do this. All firewalls
> (AFAIK) have rules lists based on source, destination, and protocol.
> Create a network group object in your firewall that includes all your
> dev group. Create a rule in your FW allowing this group to access
> msdn and nothing else. Problem solved. Management is happy, dev can
> get to msdn. If they need other sites for support access, they can
> write a justification to management, and with their permission, you
> can add any numbers of sites to your permitted access list. This way
> everyone gets what they want, you you get your butt covered.
>
> Hal
>
>>
>>Again,
>>thanks,
>>Dana
>>
>>Roger Abell wrote:
>>> One way would be to force their machines to be proxy clients,
>>> so that all internet access must go through the proxy, such as ISA
>>> Server. There it would be possible to have an allowed destination
>>> list, i.e. msdn.microsoft.com on port tcp 80, and perhaps others.
>>> As was said, it is a matter of those wanting the
>>protection/restriction
>>> to decide between the cost of lost productivity (including skillset
>>> evoluton) vs the cost of facilitating their controlled access to dev
>>> resources.
>>>
>>> --
>>> Roger
>>> "Dana" <dyw55a@yahoo.com> wrote in message
>>> news:1107891584.850311.317260@o13g2000cwo.googlegroups.com...
>>> > Roger,
>>> > Thank you for your reply also. You are very correct and I
>>really
>>> > worry about the productivity problem. Personally, I actually never
>>see
>>> > any dev environment with no internet access. But do you know how
>>the
>>> > people handle this in general?
>>> >
>>> >
>>> > thanks a lot,
>>> > Dana
>>> >
>

Roger
Fri Feb 11 00:01:21 CST 2005

Depending on brand, etc.. both could work, Proxy gains you
user identity based access control and more extensive audit
trail capability (and cost).

--
Roger
"Alexander Muratov" <alexvirtNOSPAM@yahoo.com> wrote in message
news:uKBwBn6DFHA.208@TK2MSFTNGP12.phx.gbl...
> Most firewalls use IP addresses in rules, isn't it? IMHO proxy is better
for
> audit of Web traffic.
>
> Best regards,
> Alex.
>
> <hal@nospam.com> wrote in message
> news:d8cn01175v38rlf6svipiahgksd4qqdnol@4ax.com...
> > On 9 Feb 2005 18:01:34 -0800, "Dana" <dyw55a@yahoo.com> wrote:
> >
> >>Thanks for all your reply. Now you remind me that actually a lot of
> >>company do force their machine to be proxy clients. Could you tell me
> >>how large this allowed destination list could be? Or could you just
> >>setup up the sites that we do not allow to access?
> >>The other problem is that those wanting the protection/restriction only
> >>want to control the access to have better security and might not think
> >>about productivity thing. As developer, we might want to give them
> >>some suggestion and work with them in order to keep internet access in
> >>the developement environment.
> >
> > You don't need to use a proxy server to do this. All firewalls
> > (AFAIK) have rules lists based on source, destination, and protocol.
> > Create a network group object in your firewall that includes all your
> > dev group. Create a rule in your FW allowing this group to access
> > msdn and nothing else. Problem solved. Management is happy, dev can
> > get to msdn. If they need other sites for support access, they can
> > write a justification to management, and with their permission, you
> > can add any numbers of sites to your permitted access list. This way
> > everyone gets what they want, you you get your butt covered.
> >
> > Hal
> >
> >>
> >>Again,
> >>thanks,
> >>Dana
> >>
> >>Roger Abell wrote:
> >>> One way would be to force their machines to be proxy clients,
> >>> so that all internet access must go through the proxy, such as ISA
> >>> Server. There it would be possible to have an allowed destination
> >>> list, i.e. msdn.microsoft.com on port tcp 80, and perhaps others.
> >>> As was said, it is a matter of those wanting the
> >>protection/restriction
> >>> to decide between the cost of lost productivity (including skillset
> >>> evoluton) vs the cost of facilitating their controlled access to dev
> >>> resources.
> >>>
> >>> --
> >>> Roger
> >>> "Dana" <dyw55a@yahoo.com> wrote in message
> >>> news:1107891584.850311.317260@o13g2000cwo.googlegroups.com...
> >>> > Roger,
> >>> > Thank you for your reply also. You are very correct and I
> >>really
> >>> > worry about the productivity problem. Personally, I actually never
> >>see
> >>> > any dev environment with no internet access. But do you know how
> >>the
> >>> > people handle this in general?
> >>> >
> >>> >
> >>> > thanks a lot,
> >>> > Dana
> >>> >
> >
>
>