Your answer to my question regarding how to access source code remotely is rather brief and covers information I was aware of and actually partially referred to in the question itself. Perhaps a brief rewording would help:
Looking at it from the code point-of-view only, I would agree that the VPN is likely the better solution, though SOS would make an equivalent claim. However, I'm considering the security ramifications of my network as a whole, weighing those against the security of the code. Basically, is the security offered by a VPN enough to guard the entire network against intrusion versus putting a machine outside the network and using the SourceOffsite solution or one like it?
The best overall security solution for this question would be placement of the Source Safe in a DMZ that would only be used for this project and external connections. Connection to this device should be done through a VPN or some form of IPSec. This would provide point-to-point security.
Additional considerations should be how you will update the internal source safe systems from this DMZ device. I do not recommend a direct link between systems or placement of other source safe code in the DMZ. In other words, only place what is absolutely necessary in the DMZ. Also, don't forget the end user computers must be properly patched, run antivirus software and some sort of personal firewall -- maybe even an IDS to ensure no one is coming into the user computer then using it to back door the company in question.
Finally, this entire setup should use event logging, IDS and firewalls to control access to the DMZ device and beyond. Audit, audit, audit and audit more to ensure everything is working fine.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Demilitarized zones
Ask the Expert: Role and placement of DMZ on a network
Infosec Know IT All Trivia: Demilitarized zones
This was first published in February 2003