restrict internet access to development network

[gwu]

We are working on a web project where we are required, by the customer, to keep the source code under "lock & key". My boss needs me to come up w/ a solution. His option: keep all source code on a seperate network where employees do not have any Internet acesss. We cant risk giving an employee the ability to upload any of the source code via ftp, email, or http "form upload". Of couce we would have to disable all USB access, floppy drives, cd burners, etc as well. They can have thier internal development web server environment, thats it.

I use iptables on a linux box as the firewall. This is easy to do, but are there any other options as this seems like a drastic approach.

 

[sleipnir214]

If you want to be truly paranoid, the only way to secure the code is to have the development team use media-unavailable workstations on a physically separate network. Media-unavailable workstations prevent anyone from buring the code to a transportable medium. The physically separate network prevents someone from transferring code to a non-secured workstation and sending the code out from there.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[gwu]

Exactly, but the media part is no problem. Its is the restricted internet access that i question. I cant imagine working without the internet even if just for moral and inspiration.

so i am guessing by your answer that someone could find a way to upload code via the internet if you allow internet access.

thanks

 

[ericbrunson]

Absolutely.

http://www.boingboing.net/2004/06/21/tunneling_ssh_over_d.html

 

[marsd]

Lock down or remove all ipv4/6 socket access and make sure
that the net devices are configured not to forward any
traffic from the subnet these boxes are on. The end.