How do some of you setup IDS on your networks? Here's why I ask...

If I decided that my IDS should monitor all network traffic, then all of a sudden my IDS is a high risk resource. Similar to a firewall or router being compromised, an attacker would have access to heavy traffic.

If you separate multiple IDS's across your network, you would then lower the risk if one were compromised. Or, get rid of them completely and forget about the scenario of them being compromised. But that wouldn't be worth the IDS's benefits, right? What do you think?

Do any of you take that extreme of an approach? If you separate the devices, wouldn't you lose the benefits of a centralized IDS database? I guess you could shoot it all elsewhere, but that's another device with an IP and the same problem exists, even with the opportunity to secure it more.

Example: Operations IDS, R&D IDS, Marketing IDS, Purchasing IDS... Cut off from eachother.

So basically, suggestions on types of IDS placement would be good to hear. I'd also like to hear if there's a place for what I suggested earlier, or software that assists that process.

Thanks!