I was wondering if anyone had a particular opinion on the location of an Intrusion Prevention System (IPS) in a network. Does an IPS normally come before or after a firewall?
Many solid firewalls can be purchased with a IPS module in it which makes tons of sense especially when it can detect SQL injections, buffer overflows, scans, URL parsing, certain Web App attacks, and protocol manipulation. So to answer your question, there are two places I would place an IPS for basic coverage: at the firewall (perimeter protection), and at the Distribution/Core switches (scans internal users.
From there, throughput becomes an issue so you'd have to go with a slamming sized IPS in your Data Center because most likely it's going to push 10GE lines.
MS, CCSP, CCNP, CCDP, CEH, CHFI, CPTS