I have the following setup:
WAN ------> Firewall appliance ------> DMZ IDS -------> iptables choke firewall -------> LAN IDS/Syslog server w/ log sentry
Basically I have an IDS sitting behind each of my firewalls to log any malicious traffic that gets past the firewall and onto my DMZ or LAN. Each IDS logs to a centralized analysis console/database. Everything else logs to a centralized syslog server with log sentry installed.
In addition to this, I filter viruses at the mail gateway on the DMZ and also have a centralized antivirus server that allows me to distribute updates, check the health of all my LAN clients and scan my entire domain from one admin's console.
I also do a number of other things, like LAN instituting specific group policies that only allow an approved list of executables to run on all domain work stations. I run periodic Nessus scans across given parts of the network and refuse to use IIS, Exchange or Outlook. I run as many hardware terminals instead of PC's as I can so I have better control over what my users can and cannot do to their boxes.
As a rule, I try to run as many different types of security products I can on as many different platforms as I can: 2 different firewalls, different IDS's, different virus scanning engines. This way, the vunerabilities or false positives of one has a better chance of being picked up by the other. If your IDSs and firewalls are all of the same platform, then you have a single point of failure for that given device. It makes administation a little harder, but gives you s greater perspective of what is actually happening on your network.
IMHO, security has to be very comprehensive if it is to be effecitve across a large environment.
Did I just give away all my secrets?