IDS and IPS Placement

kiki162kiki162 Member Posts: 635 ■■■■■□□□□□
Ok this question is for all you network and security admins out there.

I'm trying to understand where you place an IDS and IPS throughout the network.

My initial understanding for NIDS placement is in Front of Perm FW, between FW and Border Router, between Perm FW and DMZ, and between FW and Internal Network

What is the typical best practice?


  • 636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    If that's a multiple choice question I'd vote for between FW and Internal Network. Let the firewall drop the external garbage & the IPS filter out the rest in/out
  • kiki162kiki162 Member Posts: 635 ■■■■■□□□□□
    I understand the Internal placement, it's more at the perimeter.

    I have access to SANS On Demand, and the doc says one in front of the perm FW, and the audio says after the perm FW, but mentions that there is really no point in having the IDS in front of the FW.

    Just want to see if anyone else had opinions on this.
  • dhay13dhay13 Member Posts: 580 ■■■□□□□□□□
    having an IDS outside the firewall is only good for seeing what your firewall is seeing and stopping. more for information gathering than anything else. i really don't see much point in it other than that. internally it really depends on your network and what you are trying to achieve (separate VLANs or HIPS installed on individual servers, etc)
  • DragonNOA1DragonNOA1 Member Posts: 149 ■■■□□□□□□□
    We have our IPS surrounding our firewall. From the outside, it blocks exploits against the firewall itself and on the inside we see internal IP's of who is infected/compromised.
    The command line, an elegant weapon for a more civilized age
Sign In or Register to comment.