To protect internal users and networks I really like the approach used in the Fortinet Fortigate firewall appliances, which integrate a lot of anti-virus, intrusion protection, and other higher level abstractions directly into the firewall. The Fortigate is just a standard firewall, however, when it comes to protecting internal servers against hackers. For example, you can design a set of firewall rules that might limit incoming connections to the web server to port 80, but there is no protocol level inspection of incoming HTTP requests, to detect or block specific kinds of probes or attacks against the web server.
Does any vendor make a firewall appliance that is specifically focused on protecting internal web servers and blocking against specific kinds of attacks? Any references to such appliances are appreciated.