I analyzed my network architecture and decided to have two IDSes, i.e. one behind the firewall and one behind a router. We can implement Snort in our network and play with it. But I have to implement the same IDS on our client's network, which is a similar architecture to our's. But, we can't implement Snort on their end, because they want to have to a beautiful graphical interface. They want it to alarm them, show them nice graphical logs of intruders and stuff like that. I was going through reports at www.nss.co.uk. They have high rating for Cisco IDS and NFR. But, I read about an attack that was missed by Cisco IDS. So I think I shouldn't recommend Cisco IDS. Since it's very expensive and we aren't getting all the stuff, then what's the use. What do you suggest then? What is second best after Snort? There are some problems with NFR too. What do you say about this scenario?
First, the IDS should be designed with the network infrastructure in mind, the business requirements and the budget. IDSs should not be installed simply because someone saw an advertisement in a magazine or book. Instead, the IDS should meet the company needs.
Your placement sounds correct, but since I have not seen the architecture, I cannot recommend yes or no. Your placement is typical in the industry.
As for Snort, it is an excellent product and will do the job. If your client doesn't like opensource/freeware the loss is theirs. I prefer (in this order) Dragon, Snort, ISS and NFR, but that's not the concrete rule. As I said, the choice must fit the company. Cisco Netranger (or whatever they are calling it) is limited, and I do not recommend it's use unless you supplement it with another IDS. Dragon will provide excellent reports, but you need to know Unix Apache and some database (not a problem, right!).
Remember, NFR is releasing the next generate of products that will ease the use, so you may want to reconsider them. If you are working for a client, then I assume you will have little choice. I recommend you fit their business requirements to the best of your ability.
Hope that answers some of your questions.
For more information on this topic, visit these other SearchSecurity.com resources:
Featured Topic: Intrusion-detection systems
Webcast Archive: Intrusion-detection systems with Ed Yakabovicz
David Strom's Security Tool Shed: Hacker tool helps identify network weaknesses