@Jason. I agree.. Some simple rules for internet facing apps that really really help to cut down on intrusions are always good.
1. No inbound interactive connections
2. Any inbound connections need to land in a firewalled DMZ (i.e. user -- firewall -- ltm -- contentlayer (apache/weblogic) -- firewall -- business logic layer
3. Comms between DMZ and BLS (Business Logic Servers) shouldn't be simply proxied through. And should probably be a different protocol
4. No data in the DMZ
5. No filesharing from DMZ to internal networks (This one I've broken before. I have used kerberised NFSv4 and AFS clients on a DMZ accessing internal filesystems. But that was purely to pass statistical and log data back to the internal net).
You can add firewalls between the BLS and databases as well if you like and can afford the latency. If you can't, try & seggregate your databases that are accessed from other databases.
Internal and external DMZ firewalls CAN be the same unit (i.e. DMZ hangs off the side of your internet facing firewalls), but is a lot better (Safer and easier to prove the rules are correct) having separate hardware (Although again, I've been playing with VSX and virtual firewalls recently).
H