That not esentialy true in all aspects. If your database is on a web server
and it's internal without real prblems of people internally trying to hack
you, You can set up and ACL (Access Control List) In IIS to limit the IP's
that are allowed to view the page that is requesting info from that
database.
However You can also do this from inside a router on your internal network
if you have access to it. There are multiple ways other than firewalls to
limit access by IP. Just depends on your network infrastructure, File share
type and location. As well as OS on the server. Linux and Novell has other
features as well to limit access.
However a firewall will only stop ips from coming into the server as a
whole. Not to just that one database. So if you just wanna allow say 10
people in your organization to access that database on server that 100 other
people Authenticate through then the firewall will actually not work at all.