In a non-web server situation, should section 9.1 apply?
i.e. segregate app server and database server with firewalling?

Any views?

thanks
lyalc

From a security and monitoring standpoint, I would give an emphatic yes.

This all goes back to network segmentation between application and data. Even on internal networks, you should isolate the data store to minimize the potential insider threat to the data.

I don't disagree.
The reality is that is means my client has to sell an additional $50k-$200k of costs to their customer to buy the application in order to achieve the network throughout.
hhhmmmm life is never simple.