firewall management

["Ogrodnek, Larry" <Larry.Ogrodnek () dowjones com>]

Hi.  I am wondering how the rest of your are handling firewall management,
specificially for firewalls that are on the external side of the DMZ.

We have a fairly typical DMZ configuration, firewall A connected to the
internet, dmz in between, firewall B connected to our internal network (In
reality, there are many A's and B's, and there are also other devices across
other networks that we would like to monitor).  The rules on the firewall B
are allow anything out, deny everything in.  This leaves us in an
interesting position.  How do we allow firewall A to send snmp information,
etc, to a monitoring station on the inside?

As far as I can see, we have a few choices.

a) allow snmp traffic inbound on firewall B (i'm not too fond of this).
b) build a seperate management lan.  every firewall would have an extra
interface connected to this special lan where a monitoring station could
sit.  Is this a good idea?  Is anyone else doing this?
c) just bite the bullet and have a seperate monitoring station for each
network.

Are there any other choices?  Any thoughts?

thanks,
larry