As we are all concerned about security and don't like unnecessary work, there usually is some kind of SSH Service on all the machines, which means just one more open port to be attacked on.
The idea: Add another network interface to each box in the DMZ and put them into a private IP-network. Use this network for administration purpose only.
[snip]
Would this setup provide any benefit regarding security, provided that there is proper configuration?
Yes, of course it would, since you're separating the path of administrative access from the more or less public production infrastructure physically. Physical separation is always more secure than logical separation, by the very principle. In fact, I often recommend this type of architecture, though it is often too late and many shops find it too cumbersome to not be able to perform system administration from their desktop in the private LAN. The sysadmin network is the logical place to put syslog, backup, NTP and other servers as well, which serve your DMZ machines but needn't (and shouldn't) be accessible to others. You achieve even more security by employing point-to-point links between the DMZ machines and the those in the management network. Since this becomes impractical quickly if performed based on physical distinction, I often recommend the use of end-to-end IPSec within the management network. NB: The sysadmin network must not be connected to the internal network. Tobias