> It's used with a firewall, not in place of. A firewall is > intended to keep > the bad guys out in the first place. An IDS is designed to > figure out that > they got in anyway, and tell you what it was they messed with > while they > were there. Tripwire for instance keeps track of file sizes, > dates (and I > think a checksum) of important system files. If one of those > attributes > changes from one daily scan to the next, it tells you there's > a problem.
There's even a third class of IDS tools that periodically mount attacks to test the other two parts. Check Cisco's old NetRanger or CSPM products for an example. -- db
