later prosecution. Your IDP should be a means to check your border router and firewall rules to assure that you are blocking traffic correctly. A good model today is one in which you have multiple modes of operation and an immediate response to an attack.
Shown in Figure 7-4, the correct locations would be inline above the firewall with spanned ports on each DMZ and one on the inside of the firewall. Be sure to add a caveat. A good final response to the interviewer would be that in your experience, the best place for an IDP is the place where you could look at the logs most frequently. Placing an IDP in front of the firewall, you will know what attacks are hitting you, but you will have a lot of data to analyze. In addition to that, the use of NAT on your firewall will make tracking inside addresses difficult. Placing the IDP behind the firewall, the attacks detected are the ones that made it
through your firewall, and you will have a significantly lower number of attacks to analyze. However, in this configuration, you will not have all the information available for trends, which could lead to a false sense of security.