One of the client got multiple locations. Each locations has its own Internet access. Main and DR datacenters got ASA5510. Remote users use IPSEC RA and Citrix connections (to main DC then route to internal n/w). What is the best solution.. NAC or IDS/IPS for security? My guess is , with many internet access points, client may need to go for solution at each location. Also, is there any document whcih explains differences between NAC Vs IDS/IPS?
I would always place the IPS sensor inside the firewall. That way it will only have to inspect traffic that makes it through the firewall policy and alerts the sensor generates will have more value in terms of real intrustions you should be aware of.
If the traffic passing thought your DS3 router is encrypted inside a VPN tunnel, a router based IPS will not be able to inspect the traffic inside the VPN.
You would have to inspect the traffic after it has been decrypted. This could be done in the ASAs or with an external appliance sensor, such as a 4240.