> The background to this is that I want to implement an IDS on a > network which has an incoming/outgoing Internet connection for > all users. There is currently a firewall protecting this > connection, but I want to know whether I should locate the IDS in > front of or behind the firewall? Should the IDS be placed in a DMZ or not?
I'm not a white paper, but the authoritative answer to your question is: it depends. There are reasons to put your IDS in any or all of these locations. If you want to see all the attacks coming at your network, then put it in front of the firewall. If you want to know what's getting through (good to know) and if there's any nasty business going on across your lan, then put it behind the firewall. So you need to decide what it is you're watching for, that'll tell you where to put it.
