sorry i am late at looking for responses and replying. I was inundated with work this morning. the past 2 days has been practically immersed in a sea of reseach and stuff. anyway we are implementing a e-trust IDS on a enterprise wide basis. I did speak about this issue to a few people. We are leaning towards putting it just behind the firewall and before the main router. Then again, we will truly know only during deployment which will happen in a couple of weeks time.