Firewalls and IPS systems still have their place and can help guard against simple exploits and Denial of Service attacks. To properly protect valuable web application servers though, an actual Web Application Firewall should also be used. A WAF works by examining the application layer to protect against common web server attacks such as cross site scripting and SQL injection attacks. These types of attacks are not caught by standard firewalls and IPS solutions, and most WAF's also function as a reverse proxy. This has the added benefit of making sure traffic from the Internet is not just 'passed' through to your servers, but is instead stopped at the WAF where a new connection is made on its behalf. This has the additional benefit of allowing for other advanced features such as malware scanning, and SSL offloading. Note that if credit cards numbers are processed on your web server you probably fall under PCI regulations, and may be required to have either a Web Application Firewall, or a code review to ensure you're not susceptible to common exploits. In addition to having a WAF you can also try to protect your web servers using a few other techniques such as: Separation of resources
Install web application servers in a protected DMZ which has no access to the local LAN or internal users. This prevents opening up the entire organization to threats should a successful exploit occur. Know your network and how it appears to others
Review what information is available to would be attackers. The less unintended information available, the better. Review public DNS records to ensure only valid corporate information is available and no personal employee information is listed. Attackers may use public information about an organization and its employees to help launch a socially engineered attack. Check web server responses to make sure information about Operating System, application used, etc. are not available. Review error pages to ensure no useful information is given out such as local machine name or directory structure. Limit responses to probes/errors...