Keeping both middle-tier applications and databases behind a firewall restricts access to those systems to a known network route that you can monitor and restrict, or you can use a firewall router as a substitute for several independent firewalls.

If you can't use firewalls, you can access based on IP address. Restricting database access by IP address often causes application client/server programs to fail for DHCP clients. To resolve that problem, consider using static IP addresses, a software/hardware VPN or Windows Terminal Services or similar.

See About the Packet Filtering Firewall and Restricting Access to SSH Connections for more information on how to restrict and secure network access.