Showing results for 
Search instead for 
Did you mean: 

Correct Placement of IDS/IPS in network architecture



I would like to confirm the apt placement of IDS/IPS, whether it should be before or after firewall. I have Cisco IPS (two) which inspects packet till layer 7 which are in front of firewall and hence after inspection of traffic for malicious content, the traffic is further passed on to firewall (two), which further performs layer 4 inspection and deny the traffic based on access-list configured.


Hence, as per my knowledge, the IDS/IPS should be after firewall, so only legitimate traffic will be inspected which will further reduce load on IDS as well.

However, it was advised to me that in order to prevent firewall from attacks, IPS is installed in front of firewall.



2 Replies 2

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

One can make an argument either way in certain use cases. but the generally accepted practice is to put an IDS/IPS after the firewall (from the point of view of incoming traffic - i.e. closer to the interior or private network).

Firewalls are generally designed to be on the network perimeter and can handle dropping a lot of the non-legitimate traffic (attacks, scans etc.) very quickly at the ingress interface, often in hardware.

An IDS/IPS is, generally speaking, doing more deep packet inspections and that is a much more computationally expensive undertaking. For that reason, we prefer to filter what gets to it with the firewall line of defense before engaging the IDS/IPS to analyze the traffic flow.

In an even more protected environment, we would also put a first line of defense in ACLs on an edge router between the firewall and the public network(s).

Nikhil Das

The IPS sits directly in the communication path between the source and the destination, it analyzes traffic and takes actions like sending alerts, dropping malicious packets, blocking traffic, and resetting connections. Because of this IPS can degrade your network performance if it hasn’t been configured correctly. Your IPS will generally be placed at an edge of the network, such as immediately after a firewall/router, or in front of a server farm. Position the IPS where it will see the bare minimum of traffic it needs to, in order to keep performance issues under tight control.

The IDS is a passive system that scans internal network traffic and reports back about potential threats. The most obvious location is at the network perimeter, just inside the firewall.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: