With the current network security trend, having firewall alone will not secure your network entirely. Cisco is recommending layered security model where you have different security device guarding or provide security at different level.
IDS/IPS provide deep packet inspection for traversing network traffic. The simple one is spyware embedded in your http/www traffic. Firewall alone is not effective/ cannot block this. Same goes to detecting malicious contents like trojans, hacking scripts and so on.
Firewall, on the other hand, narrow down who can talk to who via which tcp/udp service port. But it cannot do stuffs like IDS/IPS. Basically, it uses stateful inspection and ACL to permit/deny the access (source/destination IP/ports), plus other feature like anti-spoofing and control max connection and embryonic sessions to servers/resources/clients.
It's recommended to have both in place, either in a pizza box like Cisco ASA series where you have firewall and IPS/SSM services running together, or, you can also have them running in separate box (depends on requirements).
But, if you have limited option and can only choose either Firewall or IDS/IPS, you probably need to get Firewall before IDS/IPS. This at least helps you to control access in & out of your network with more advanced features compared to router.
Firewall like PIX, however, has IDS feature but limited to less than 60 well-known signatures only.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...