IF you want to really harden it, then you know you need layer 7, and that the servers have to have firewall in them too. I haven't played with the firewall in the server because my boss seems to think it is more important to give the users continuos access withouth interruptions (which will occurr while deployment and testing) than security. He thinks a layer 2 and 3 firewall is enough. Should I show him the logs from my web server??