Network Security

Question 7

When and why would you place an IDS before a firewall-system?

If you are using a simple screening router on the outside of the network to filter traffic according to ports, it might be beneficial to have an IDS system between the router and the firewall to detect cases where traffic intended for other ports is being passed through the open ports in the router.
Placing an IDS here also provides a good source of information and evidence in the event of the system being compromised.
But leaving a SNORT system outside the firewall can increase the false positive rate and makes it more vulnerable to attack.

Whan and why would you place an IDS after a firewall-system

Placing SNORT on the inside of a firewall can help to validate that the firewall is in fact functioning correctly, ie keeping out all unwanted traffic. It should be configured in accordance with the firewall itself.
It is worthwhile putting SNORT inside a network, to monitor different subnets (like for example a DMZ), and sensitive areas (like Databases, Email servers, and internal DNS servers). Inner complexity of a network could lead to isolated stations, in which case, host based IDS could be preferable.