I am experiencing dissonance between developers, security, and infrastructure teams on the topic of whether to do network layer segmentation for DEV and PROD environments.<p>Security and Infra folks say yes and want firewalls between the environments with different levels of change control.<p>Developers say no and argue that different VMs/containers are sufficient and don't see value in having firewalls between DEV and PROD.<p>I see value on both sides of this argument but would love to know what others are doing here.
As a developer it is worth it as long as you have separate teams responsible for development and production. Segmentation means that a prod server can't accidentally be configured to access a dev resource (db instance, etc). If you have development hand off installation packages and instructions it also means that dev never has to touch prod servers (except read access to logs, etc).
It also eliminates the temptation to "temporarily" use a dev machine/instance as part of prod to solve a problem (and then leaving it that way for years).
Absolutely must separate. One reason: controlled access to prod. You cannot let any arbitrary untrusted device on your corporate network connect directly to prod instances. You rather need a VPN or other jump host in the middle.<p>Same rules don't apply in dev and are counter productive there.
I have seen the following patterns implemented:<p>Pattern 1:
* DEV VLANs + DEV Subnets
* PROD VLANSs + PROD Subnets
* Firewalls between DEV and PROD subnets at network layer
- firewall rules implemented by separate net/sec team<p>Pattern 2:
* DEV VLANs + DEV Subnets
* PROD VLANSs + PROD Subnets
* Firewalls implemented through Security Groups (cloud based platforms)
- firewall rules delegated to product teams<p>I would be interested to see what other patterns teams are using and how security and operations protections are achieved.