See the approach described in the Cisco SAFE blueprint, this could be useful for you. http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm Frédéric Déry -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Tim Lund Sent: 21 March 2001 12:46 PM To: nanog@merit.edu Subject: Network Monitoring in a Firewall Complex All, I have been tasked with architecthing a network monitoring/backup solution for systems which reside within a firewall complex. The firewall uses a compartmentalized approach by placing systems which perform similar functions in the same protective zone. I have some ideas on how to accomplish this. I am leaning toward placing an additional interface into all of the systems and creating a management network. The management network would need to maintian the compartmentalization approach so that a security failure on one system would not allow the managment network to be used as a path of attack to other systems. Theoretcially I believe I could use a multilayer switch to provide to control traffic between the interfaces on the management network whil allowing for the management/backup servers to route to each target host. The managment network would also allow backups and other management activities without impacting the bandwidth of the production network. I would prefer not to design this in a vacuum and was wondering how others have done this or any pitfalls if anyone has tried the management network. The solution needs to be scalable and manageable. As this falls within the realm of network security I am not sure how forthcoming people will feel but I would appreciate any and all assistance that you might be willing to provide.