Should we develop code on a local machine in a VLAN?

Question

Because of security reasons, we will not be able to use IIS on our local machines. I'm sure that many of you have faced the same problem, so how did you solve it? Here are the options that we're looking at:

1. Create a VLAN that is isolated from the network for development. This will allow us to use any software, including IIS, that we want. A disadvantage is testing Web services with external organizations, which can be overcome by using stubs.

2. Not use a VLAN and use only the ASP.NET Development Server that comes with Visual Studio, and then deploying that code to the development server. This has the disadvantage of not being able to replicate the production environment during local development. In addition, at least one developer needs IIS for GIS development, so he couldn't develop locally.

Thank you for comments or suggestions that you may have!

Answer 1

You can configure IIS with IP address restrictions, including whitelist based. E.g. restrict to kust 127.0.0.1.

I suspect this can be done from group policy to maximise enforcement.

Answer 2

Create a local VM using virtual PC. Do not give that virtual machine a network connection.

Edit: Note it is possible to have an unnetworked virtual machine be accessible over a network safely in two ways:

1. Share the virtual machine's settings and hard drive over a network share. Only one person can use the virtual machine at a time. I suspect using undo disks in a clever way could remove this limitation, but it's not supported.

2. Use a server-based virtual machine solution like VMWare. If your company isn't already doing this, it costs money and resources to set up. The advantage of this is that everyone can look at the machine at once.

Note that in both of these solutions, users are accessing the VM directly, not connecting to it. So, the machine itself is not actually hitting the network and thus there is no way to hack into the vm without gaining access to the machine hosting the VM first (e.g. through a share like in #1). This is more like remote desktop than external website, but remote desktop leaves the machine you're remoting into the ability to see computers directly, so it is not as safe as this is.

Tautology: It is not possible for a machine to serve up content to other machines unless those machines are accessible (directly or indirectly) to it. So if you have the VM running IIS and want to treat it as an external web server but not have it be able to access computers on your network, you're running into a conflicting requirements. Any trick involving sending the traffic in some roundabout way is just turning security holes into more roundabout security holes (though not roundabout from the perspective of hackers).

Technically both #1 and #2 also make the VM accessible over the network, but the virtual machine itself doesn't see the network (instead, the machine hosting the VM sees the network).

Answer 3

We develop on servers using remote desktop. Gives you the right power and allows you to conigure and test the apps immediately on the right OS.

Answer 4

Based on comments, it sounds like you do need an isolated environment. A combination of router/firewall plus AD forest one way trust[1] should allow your (development) systems to access corporate resources you need, but not visa versa.

The network part could be done with a VLAN, but if IIS is so much of a problem a VLAN seems unlikely to be enough isolation.

I have worked in such an environment, and it was largely transparent for development work (and, including allowing us developers the local administrative rights we needed), while ensuing we could not interfere with corporate IT operations.

---

[1] I.e. development AD forest trusts the corporate AD forest, and not visa versa.