Having run an IDS on the outside of our firewall with a busy network, I'm confident in saying you don't want it out there. Let the firewall block the simple attacks and have the IDS tell you about those that aren't so simple. Firewall logs will give you a good idea of what's being blocked. You don't need this information a second time. I understand there are things the IDS would give a different perspective on, but unless you have a person dedicated to the administration and and monitoring of the IDS, all the alerts would become useless as the system would be ignored.
>>> "Tim O'Brien" 07/11/02 09:22AM >>> If you are going to look at it that way you should run host based IDS on the servers you are protecting from your inside clients and run your IDS sensor between your edge router and firewall to see what is happening outside. Tim CCIE 9015 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of sam sneed Sent: Thursday, July 11, 2002 11:41 AM To: [EMAIL PROTECTED] Subject: Re: Placement of IDS [7:48420] I wouldn't want to put it in both places. If I did I'd have to deal with false positives twice. With all the other responsibilities I have it would take up too much of my time. I do trust my firewall so I think I'll keep it inside. ""Brad Nixon"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > The easy answer to your question is "It depends". Do you trust your > firewall? Do you trust your internal users? The best solution would be to > have an IDS on each side of your firewall. That way you could detect both > external and internal threats. > > -- > Brad A. Nixon > CCNP, CCDA, MCP, CCSA > "Nothing is fool proof to a sufficiently talented fool." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48622&t=48420 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]