So, over the years I've worked in a number of places where IDSs are placed in different areas around firewalls on the edge.
I've debated with Bosses, colleges, and other people about the best place on the edge to place an IDS.
1. Outside the firewall
- You can see possible attacks hitting your firewall
- You can see traffic leaving your network if it's not suppose too
- You can use the IPS (if inline) to block bad traffic before hitting your firewall to save firewall resources (DDoS)
- Lots of false positives
- Need a beefier IDS/IPS because you are seeing all traffic, not just the stuff passed your firewall
2. Inside the firewall
- You only see possible successful attacks inbound
- Firewall protects the IDS from DDoS attacks
- You don't see possible attacks from the outside hitting your firewall
(This isn't an exhaustive list)
Now here; A misnomer:
If you have your IDS on the outside of your firewall, you will see attacks that hit your firewall. Let's think about this. If your firewall blocks packets to ports you don't allow - what kind of actual traffic are you going to see?
1. TCP ACK
2. Non-TCP Traffic
So, really, you'll never see any attack that happens over TCP because the handshake can never happen. Then, when you start looking at packets from UDP/ICMP etc You may start getting heart attacks and start running to your firewall admins thinking some traffic is getting passed the firewall.
If your going to implement IDS/IPS this is how I recommend it gets setup;
1. Put it inline AFTER your Firewall - Don't use a span, or tap.
2. Use a TAP (not a span port, unless you can specify traffic direction) before the firewall and only pass the OUTBOUND traffic to the IDS/IPS
This will give you a good indication of what has made it passed your firewall, inbound, and outbound.
I know what you're going to say. "But what about possible attacks against our network, we want to detect that..."
You're logging all traffic passing your firewall right?
Including dropped packets inbound?
You implemented some way to monitor those right?
This way, you'll be able to detect inbound brute force and mapping attacks - the only thing you'll miss is UDP/ICMP attack packets - but I figure that's a fair trade off.