Defence in depth for serious apps looks like... (assuming Java EE)
- outer firewall (router)
- DMZ reverse proxy server with intrusion detection, NAT
- inner firewall (router private IP addresses)
- web server / container
- EJB container (proxy DB user to access stored procs)
- database firewall (router - only EJB server can access)
- database stored procs
- database tables/views <<< this is what is being protected
So from the outside you just see a web server (aka reverse proxy). It also limits internal access to the transactional database. Given that more attacks occur from internal networks.
The above model is used by banks etc. Fairly standard in the corporate space.
Naked is not genuine option.