An IDS is like having a security guard at the front door. It can monitor and act on certain network activity it deems inappropriate or suspicious. Typically, it looks for activity based on a list of known-bad addresses, for example addresses that have been known to host malware.
There are a number of IDS rulesets to chose from, and configuring it can take time. It is really only necessary if the firewall has been configured to allow inbound traffic. If the firewall is blocking everything inbound, then the IDS is really superfluous, as the firewall is already blocking everything.