An Application firewall acts as a proxy server to a client network, providing filtering at the application level for different services used within the network. Incoming and outgoing traffic is either allowed through or it is blocked.
The firewall is concerned with the direction of traffic.
An IDS system is also able to block traffic, but its overall monitoring of incoming traffic is more contextual, and geared towards detecting exploits by recognition of patterns of traffic across services and ports. In effect, it is smarter and looks deeper into packet contents (NIDŐs can look into the packet payload).
For example, a prospective hacker could probe a site with an application firewall (for example, re-trying different username/password combinations) and remain largely undetected. Logging at the firewall is the only source of evidence of what has been going on and there is no automatic notification. With IDS such behaviour would be detected in real time, the alarm would be sounded and furthermore, the IDS logging would show exactly what was being requested and from where Đ could be used as evidence in a court.
Whilst IDS can be placed behind an Application firewall to serve an entire network (NID) it can also be installed in individual machines.
Additionally, where a firewall can only see traffic crossing the borders between networks, an IDS can see and act upon the traffic on any given network, thus also detect local attempts at compromising the network.