The security benefits of a web service layer between you web UI and database are, at best, minimal. Even with the network infrastructure suggested by slugster, your attacker is only unable to access the web services from his/her machine. Considering such a compromise would most likely also give the attacker some form of remote access to the web server itself, your network level access restrictions are totally useless. You might manage to prevent some forms of attach, but if someone is interested in getting access to the box, once they get it there is nothing on your network that will be able to distinguish an attacker from a legitimate user.

What makes it worse is that you are stuck with an extra layer of code that you have to maintain to support this extra layer, which means you are going to have more bugs, and it is going to take longer to create new features.

One approach to this would be to utilize some of the techniques described by the folks talking about CQRS in an architectural context. Specifically in this presentation by Udi Dahan he flat out suggests putting your database on the web server, and only storing the data in it you need to support the web site. The other data, the business data, is stored elsewhere, in a separate database. You could also use NoSQL databases, like MongoDB or RavenDB for the presentation data and forgo the relational database altogether.

There are a lot of options out there, and some of them will even give you the level of security you think your getting with your current architecture. It is always a good idea to provide some critical thinking to these sorts of decisions, and I find it encouraging that your asking these sorts of questions.

Good luck.