If you meant that your CSS is not protected by the Firewall, then you are right to want to lock it down as much as possible. Using the physical management interface on a SEPARATE (out of band) LAN connection which in turn is only accessable from firewalled connection inside of DMZ would be appropriate.
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: