There is nothing wrong with running servers inside the corporate network - except that the corporate network should not be one wide, flat network. You should consider segregating assets and users into different "zones" and then write rules that allow the right (and expected) access between those zones. in your model, include "internet zone" and also any direct links to third parties you company may have (e.g. vpn to suppliers)
I would always use firewalls rather than simply splitting the network into VLANs. Firewalls offer better functionality to build rules (or groups of rules) so you can whitelist traffic that you expect to flow between zones.
You can place security controls on intra-zone borders, such as:
- IPS/IDS reporting to your Soc/SIEM
- Access control list functionality (supported by some firewall manufacturers) that will allow you to ensure that only authorised users may access a zone, where servers/apps reside. Of course, your DENY log will be useful for the SoC
Organising the zones will be different for every organisation, but commoin examples are:
- segregating development/testing from production
- segregating users from production servers
- segregating high risk or highly sensitive application servers from non sensitive applications servers
There are some risks. Take care not to over do the number of zones and make it too complex. Otherwise the burden of maintaining rules will become a big cost. Consider investing in a firewall product that has a good rules management or even a separate rules management application (e.g. Tuffin SecureTrack + there are others too).
Also be aware that some firewall suppliers have proprietary ways of adding ACLs to rules; these can have a heavy hit on performance of the firewall and you may need larger kit than expected.