What does your upstream connectivity look like? If you are getting a 100mbit port at a data center with multi-gigabit upstream connectivity then even placing the most expensive firewall in the world right in front of your server isn't going to do anything in the event of a dDoS attack; once your 100mbit interface is saturated it's game over. For DoS mitigation to be effective it needs to be handled much further upstream in the connection.
Are you sure you really need a hardware firewall? We've already established it's not going to help significantly with DoS attacks, and intrusion detection looks for signatures and won't be as effective as an APF/BFD combo that's keyed off the logs on your server. Usually you only pursue a hardware firewall solution if you are uncertain the server software firewall will be properly configured and want an appliance to filter the traffic in advance, or you know that the filtering done on the box is so processor intensive that you want to offload it to an external appliance.
Enterprise Network Engineer :: Hosting Hobbyist :: Master of Procrastination
"The really cool thing about facts is they remain true regardless of who states them."