I disagree. The border is just one aspect, and your typical threats tend to be the result of intentional stupidity (employee systems), or internal maliciousness (soon to be ex employee).
A border firewall will not help in this particular case. Additionally, depending on the users access, no firewall may help.
My preference, is typically to setup every server with a default deny, permit IPSEC traffic only to and from the support components on the internal network. Then obviously open the business requirements to provide a server. Example, a Web server that connects to a DB and image processing server, port 80/443 open from external to DMZ web server (DMZ and Application zones are separate), all other incoming ports from external are blocked, your border router can cover this.
Internally, default deny to everything, permit IPSEC, between Web Server, DB and Image processing server, as well as terminal/jump servers. Tunnel all communications over IPSEC between the servers.
In that way, man in the middle attacks become almost impossible, there is no sniffing traffic if a user manages to get local segment access, If the system is compromised in some way (SQL injection, etc, assuming the services are not running as administrator), the servers cannot be used as a jump point to other servers and components in the network, and vice versa....
Call me paranoid.. but that is how I do things.
Also, there is no additional cost (except system overhead, and that can be compensated for by crypto cards, or the new Intel AES CPU instruction sets on their current gen Xeons, and I am sure other procs) to running IPSec, it has been included on every Windows server since 2003, and for Unix, Raccoon is free and works just fine.