what should I get next...IDS or concentrator appliance?
FYI for an IPS if you're looking just for the *gist* of things, you could also kick out about $75 for an older Intrusion PDS5100 appliance and modify it with snort_inline. The PDS is running Redhat. And FYI Snort has never been an IPS, IDS yes. Snort_Inline now... That's a different story. I wrote a realtime shell script to backend Snort, mod_apache, and block out XSS attacks ... For those working in the compsec industry, if you're interested let me know I will send you a link. Currently I'm doing a realtime IPS for SIP on Asterisk. I have an nCite SBC that touts the ability to block garbage out, but I've been able to pass garbage through... As for Asterisk and SIP in general... I made Asteroid out of kicks and giggles to learn the transactional phases and shred them to smithereens... http://www.infiltrated.net/asteroid/ (for those into VoIP security)...
I don't think an appliance running Redhat and Snort_inline is going to do much towards studying for, and passing, any Cisco exams. It'll be very helpful for general security practices, but that's probably best saved for after he's got the CCSP knocked out, and doesn't need to focus so heavily on "the Cisco way" of doing things.