Why would you implement account lockouts? that's a monumentally stupid idea...
Usernames are often predictable, and frequently not even secret at all. An attacker can work out all your usernames and then intentionally get all the accounts locked, irrespective of how good those user's passwords were.
Similarly even if you lock accounts after say 5 attempts, that means an attacker can still perform 4 attempts per user - if you have many users, at least some of them will have common passwords like Password1 or Welcome1 etc.
A network based brute force is slow and will only ever succeed against extremely weak passwords anyway, so long as you have a half decent password policy no such attempts will succeed. And you should have half decent monitoring too, so you notice attacks. Simply relying on account lockouts is stupid.