Intrusion Detection Systems (IDS) monitor the network and watch for patterns of traffic that match a predefined set of rules that indicate malicious activity. Some IDS systems also have the ability to look for patterns of network traffic that may not match a rule, but still indicate malicious activity. IDS systems alert on these events, but otherwise do not interfere with network traffic. Another type of system, Intrusion Prevention Systems (IPS), use the same rules or technologies to detect malicious activity, but go a step further in blocking the traffic before it can reach its destination.
Intrusion Detection Systems are an important part of a defense-in-depth strategy. IDS systems can detect attacks directed against your systems and allow for additional controls to be put in place to mitigate the attack. If the IDS system is behind, or part of the firewall, it can alert you if malicious traffic gets past the firewall. IPS systems take this further and can take some of the work off the firewall or block attacks not blocked by the firewall.
Organizations are expected to have a comprehensive IDS/IPS deployment protecting the perimeter of the network. Some organizations also look for IDS/IPS to be in place to protect high value assets on internal networks, These IDS/IPS devices should be placed on network boundaries between high value networks and client system networks or external networks.