hi,
the major difference between an IDS and an IPS is that, IDS sits in a promiscuous mode and an IPS sits in inline mode. So that implies that IDS will let the first threat packet into before it takes any action or fires an alert, this is because it would receive a copy of the packet for analysis and the actual packet would get in before any action is taken and the malicious traffic stream can be stopped from entering the network, where as an IPS box would even stop the initial threat packet from entering into your network, as it would be sitting in inline mode and all the traffic that enters your network would have to pass thru the IPS (i.e. the actual traffic, not a copy of it.), so the analysis would happen realtime and even the initial threat packet would be stopped from getting in.
Secondly if you already have an IDSM - II running, you can upgrade it to IPS version 5.x, then it would function as an IPS. This way you can buy an ASA5550 instead of an ASA5540, in future if you feel the need of an AIP-SSM module for you ASA, you can buy it or you can even buy an ASA with CSC-SSM module. In that case you have both your IDSM - II working as an IPS and ASA working as an Anti - X filter with the use of CSC-SSM.
cheers...!!!
--
Prashant Chauhan.