Product Development and security in the enterprise

["Smith, KC" <ksmith () systemsalliance com>]

All,

Any advice from the collective wisdom of the list would be greatly
appreciated.

I manage a software development group that includes development staff,
QA and the help desk.

In the current network configuration all desktops and servers are in the
same subnet.  

Our sys admin has recently installed and configured MS Auto Update
Server and wants to force all machines to update automatically.

While I support this type of solution for distribution of critical
patches to the enterprise, I have a problem with my QA and dev machines
being changed out from underneath us.

I'm less concerned with the development machines, but the QA machines
have established baselines when it comes to installed software,
including patches.

I've suggested creating a network architecture that would allow my QA
boxes to remain pristine while allowing all other machines in the
enterprise to be updated.

How do other organizations handle this?

Can a screened subnet of some sort be used to isolate the QA machines?

Any other thoughts?

Thanks in advance
KC Smith

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------