The need of an IDS depends entirely on the network and what we want to do. Generally I'd say that we need it, unless we can think of a good reason not to have it.

The added benefit of an IDS is that we can see what is passing through our network and attempt to isolate any traffic that appears malicious. This is important as it's a function many firewalls lack (except those with layer-seven support, which are termed application-layer firewalls). Since firewalls work at the lower layers of network communication their filtering rules are generally limited to IP addresses, ports, time of day, and only a few other criteria. If we have a firewall that isn't looking into the payload of a packet and only making decisions based on packet headers, it's far from inconceivable to say that these devices may allow some malicious traffic to pass. The role of our IDS is to do deep inspection of these packets looking at the data contained within and make decisions such as: "Does this...