A network tap must be installed to provide Bro with access to live network traffic. For Bro to be most effective, access to the network must be full-bandwidth (no bandwidth limitations) and full-duplex. A passive tap is recommended to ensure minimal impact on network operations.
Normally the network tap for Bro should be placed behind an external firewall and on the DMZ (the portion of the network under the control of the organization but outside of the internal firewall), as shown in the figure below. Some organizations might prefer to install the network tap before the firewall in order to detect all scans or attacks. Placing Bro before the firewall will allow the organization to better understand attacks, but will produce a much high number of alarms and alerts. Another option is to place Bro inside the internal firewall, allowing it to detect internal hosts with viruses or worms. In addition to the connection to the network tap, a separate network connection is required for management of Bro and access to log files.
For more information on taps and tap placement see the Netoptics White paper titled Deploying Network Taps with Intrusion Detection Systems (http://www.netoptics.com/products/pdf/Taps-and-IDSs.pdf).