Good post Tony,

Let me play Devil's advocate for one moment on this topic.

I did a proof of concept with IPS systems for a very large facility (10,000 + users). The network architecture included hundreds of routers, switches and a handfull of firewalls. Now, Cisco makes IDS/IPS products and since we tend to lean towards their products, we picked the 4250 series IDS/IPS appliance for our test.

THE RESULTS
=====================
Since I know the canned countermeasures that the IPS will perform (easily obtained from Cisco), I can actually cause a DOS attack using the organization's IDS/IPS system. Since about 75% of all attacks come from inside your firewall, you can imagine what one can do to routers when tripping the IPS. In my case, the IPS noted that it sensed an attack, wrote it to the log and it pushed out changes to some core routers to fend off the attack. The changes shutdown web access. In the end, I had to manually go back and reset the rules on all the routers to restore internet connectivity.

Now with carefully designed organizational procedures, the downtime will be minimal. I just like to cover every angle as it really sucks to be nailed with scenarios like this from top management and not have a suitable response ready.

Anyway, hope this helps out!