Network Monitoring in a Firewall Complex


I have been tasked with architecthing a network monitoring/backup solution
for systems which reside within a firewall complex. The firewall uses a
compartmentalized approach by placing systems which perform similar
functions in the same protective zone. I have some ideas on how to
accomplish this.

I am leaning toward placing an additional interface into all of the systems
and creating a management network. The management network would need to
maintian the compartmentalization approach so that a security failure on one
system would not allow the managment network to be used as a path of attack
to other systems. Theoretcially I believe I could use a multilayer switch
to provide to control traffic between the interfaces on the management
network whil allowing for the management/backup servers to route to each
target host. The managment network would also allow backups and other
management activities without impacting the bandwidth of the production

I would prefer not to design this in a vacuum and was
wondering how others have done this or any pitfalls if anyone has tried the
management network. The solution needs to be scalable and manageable. As
this falls within the realm of network security I am not sure how
forthcoming people will feel but I
would appreciate any and all assistance that you might be willing to

See the approach described in the Cisco SAFE blueprint, this could be useful
for you.

Fr�d�ric D�ry