What are best practices for securing source code on a development network?
Company policy is often more effective than a technology solution for some of these things. That's not to say that technology can't play a role in helping enforce the policies.
I suggest that you look into a Fortigate from Fortinet. They have a few things that you can leverage to help you. They have the ability to quarantine any computers that don't meet your policies, aka patch levels, A/V, etc. It also has the ability to do both application protection and data leak prevention. So you would just need to setup a data leak prevention rule to block anything that resembled code. So if your company has a standard header that is put at the top of the files you could look for that and block and report it. If you add the FortiClients to the mix you can lock down the USB ports on the local machine as well as enforce firewall, A/V, data leak prevention, and Intrusion Prevention policies at each client.
So to talk to your points.
- The firewall with VLANS should be able to take care of your first point.
- Fortigate's also act as a VPN so that point is pretty simple as well.
- VLAN of some sort could be your Sandbox.
- ForitClient in combination with Group Policies and the Fortigate you should be able to control everything you need.
- This one is a bit tougher to deal with. But company policies that state that not following these policies will result in termination is the best approach. However the FortiClient can lock down the USB ports so as long as you lock down the network sufficiently this should give you the control you require.
- This last one is more of a policy thing as well.
Well, it's more of an answer about design philosophy than actual architecture, but you seem to have a decent idea of what you want to accomplish. I find it's best practice to not only have a written policy, but to design the system to make violating the policy difficult (if not impossible). For example, if only certain machines are allowed to connect directly to a critical server, then surround the critical server with ACLs or a server-local firewall to only allow connections from those machines.
Regarding your bullet points:
- I advise against allowing unrestricted internet access. At a minimum, use a firewall enforced proxy requirement or WCCP. Default deny with a whitelist is best.
- VPNs are great if you truly want to allow (or want to manage) unfettered access from the outside of your network; if you really only want to allow specific types of connections, then I consider VPN overkill and unnecessarily hazardous
- I'm a fan of sandboxes for developers to play in, ours connects to a separate internet access and is on the other side of a production level firewall from the rest of the network
- patching and secure passwords should be a minimum in any and all environments...period
- encryption is fine, but you will need to manage the encryption method with an eye towards failure; i.e., what happens when you absolutely have to get access to the code but the guy who has the passwords is on vacation? If you need suggestions here, let me know and I'll add how I manage this...it's kinda convoluted, but effective.
- you might be interested in a NAC type solution for the last point as a method of forcing authentication and allowing you to audit who copies what where. You can also do things like disallow USB devices, which are proving to be a real danger to private data