I prefer to use a layered defence, by placing an IDS in front of the Firewall and another IDS behind the Firewall. In my environment, I need to know when we are receiving a sustained attack, thus the IDS placed outside the Firewall. Because of the Firewall rulebase dropping particular packets/connections on the Firewall, I may not be aware of an attack against the Firewall itself or devices behind the firewall where the attack is blocked at the Firewall. (lots of noise though) The second IDS lets me know what potential attacks have made it through the firewall and into the DMZ in question.