| Author |
 Topic  |
|
|
lacrosseboy
Old Timer
550 Posts
Status: offline |
 Posted - 07/06/2012 : 09:51:09 AM
|
We have a debate going on in the office and I want some other feedback/ideas on what some of you are doing with your development/test environments. Currently, we a have Production (with credit cards) and Office environments protected/separated with a firewall. Development servers and developer working in the Office area and promote code, etc… Test in done in the Office area too.
We are company of about 160 users with 5 developers and we don’t have very much money to spend on projects like this.
One school of thought is move the developers and servers/workstations/toys to a separate domain isolated with a firewall/switch and not connection to the Production or Office environments. A one way trust is possible. Some people think this is overkill.
Another thought is to put the developers and their servers/workstations on a separate vlan. Keep them on the same domain but isolate with rules on the switch.
What have other done based on the size of the organization?
|
Thomas Deimel
Keeper of the Holy Potato |
|
|
JeffWouters
Here To Stay
Netherlands
149 Posts
Status: offline |
Posted - 07/06/2012 : 10:58:40 AM
|
First of all, VLAN's are not intended as a security feature although they are widly misused for it...
What I get from your story is that you work with credit cards? If so, do you have or want to archieve the PCI-DSS certification? Because most of the times those requirements will aim you towards the use of multiple domains and multiple network tiers. |
Greetsz,
Jeff. |
 |
|
|
lacrosseboy
Old Timer
550 Posts
Status: offline |
Posted - 07/06/2012 : 11:04:52 AM
|
Yes, we widely misuse the VLAN stuff. Firewall is best.
Yes, we have CC data. We sort of have PCI-DSS. Multiple domain would make sense. Thanks. |
Thomas Deimel
Keeper of the Holy Potato |
|
|
|
lacrosseboy
Old Timer
550 Posts
Status: offline |
Posted - 07/06/2012 : 11:56:24 AM
|
Production is now protected with firewall/switch. The developers sit in the Office area on the same domain. I look at the requirements of PCI-DSS and they are required to be separated and not in production area.
I go back to my original thinking, do the developers need to be on their own domain, completely separated with their own switch and firewall? To me, this is questionable for the small organization that we are. |
Thomas Deimel
Keeper of the Holy Potato |
|
|
|
Jazzy
Administrator
Netherlands
1949 Posts
Status: offline |
Posted - 07/06/2012 : 4:24:45 PM
|
When you say domain, I assume you actually mean forest. A domain isn't a security boundary either.
Can't help you with advice on PCI-DSS, sorry. |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
|
JamesNT
Moderator
USA
3151 Posts
Status: offline |
Posted - 07/08/2012 : 9:14:30 PM
|
If you use a security services gateway like the Juniper SRX, you can use vLANS as a security feature. You can set up vLANS in the SRX such that they can't see/speak to each other. At all.
JamesNT |
James Summerlin
www.jamessummerlin.com |
|
|
|
lacrosseboy
Old Timer
550 Posts
Status: offline |
Posted - 07/09/2012 : 08:39:12 AM
|
| We have the Juniper SSG series so I will have to check if this is possible, I doubt it! |
Thomas Deimel
Keeper of the Holy Potato |
|
|
|
wobble_wobble
Honorable But Hopeless Addict
Ireland
4524 Posts
Status: offline |
Posted - 07/11/2012 : 02:33:37 AM
|
Technically, the R&D/ Dev network needs to be seperate to the Production.
Think of the Production (PCI Compliant business unit) as an enclave. Auditors will review the PCI compliance network (cabling, access methods, separation, accounts, security etc) and you will fail if R&D/ Dev and Production share openly and easily resources. By this I mean an account in one can traverse the other, print to the other etc.
You really need different AD Forests, no trusts,different network, different vlans, gateways, firewall rules, different SQL Databases, files shares etc.
Think of it as 2 completely different business in 2 completely different countries, with a language barrier and your in the right direction. |
Joe
After everything that has happened during the month of Jan 07, I do believe that pigs fly backwards!
http://whatismyv6.com/ |
|
|
| |
Topic |
|
What to do?
