>>Adriel T. Desautels wrote:
>> Actually,
>>    In my expereince its not a very good idea to install an IDS on a
>> firewall device. Fact of the matter is an IDS device should have as
>> much processing power as you an give it to help reduce false positives
>> and false negatives (assuming heavy load and a good NIC). Increased
>> usage of the CPU from other services, such as firewalls, reduce the
>> amount of cycles that the IDS will have
>> and as such reduce its performance. Anyone else feel the same way?

>What you think makes sense.  However, for a small business with an idle
firewall like
>mine, it might be a good idea.  Having a traffic sniffer that is not on
the firewall
>increases the costs a lot.  You need a separate machine, a tap or a
switch with a mirror
>port.

IDS on a firewall is not NEW, take a look an D-Link "DFL-200 and DFL-700"
Or the Netgear "FVS ProSafe-VPN-Firewall" Datasheet.
The have included an (N)IDS.
I think no Firewall is secure alone without an IDS.

BR
Oliver