In general, when would one consider using an intrusion-detection system rather than a firewall in the overall network security design?
I don't think it really is a question of one or the other, as they serve different purposes. First of all, the intrusion-detection systems typically are passive systems that simply detect problems and perhaps alert someone. They do not block any traffic, or take active measures to stop an attack. A properly configured firewall can allow only certain types of traffic to pass, thus protecting the internal network from any number of malicious activities.
This is not to say that an IDS is not useful. Many IDS can correlate events over time and alert someone of an attack in progress. Firewalls tend to act on each packet without respect to what has happened previously. (This is an over simplification, as many firewalls can make decisions on what to let in based on what has gone out. For example, telnet into a secure network may not be permitted, but if the telnet was initiated from within, then the incoming part of the connection will be allowed.) The point is that an IDS and firewall serve different purposes, and I wouldn't want to see it as a choice between one or the other. However, if you can have only one, I would choose a firewall, as it has a chance of actually stopping an attack, whereas an IDS will only detect and alert.
For more information on this topic, visit these other SearchSecurity.com resources:
Dig Deeper on Information security policies, procedures and guidelines
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.