The web access won't be going through an application layer? Is there any kind of a firewall between the web/app servers and the database servers? If not, then you have a serious security problem with no way to fix it.
1. Change your default SQL Server port to not use 1433.
2. Insure the firewalls only allow traffic on the port necessary. Close everything else.
3. Only allow Windows authentication. Have the web apps/apps run under different user account and give them only access to the stored procedures they need access to.
4. Monitor to make sure there are no permission changes and no logins from other servers using these logins. You can use a trace for this.
The idea is to minimize risk, and monitor for known weaknesses.
When life gives you a lemon, fire the DBA.