I currently have several VLANS (management for network devices, iot for smart devices, infra for security cameras and NAS, one for personal devices, anothe for guests, etc.
Currently I’m hosting a game server which is exposed to the outside world and am thinking of adding a couple more similar services.
Is it best practice to put such machines on their own isolated VLAN to minimize their attack surface?
Yes, it is generally a good idea to put internet-facing servers on a network that is separated from the local network. The point of this is not to minimize their attack surface (since they are already connected to the internet after all) but to prevent them from being used as a stepping stone for attacks on your internal network. To make this effective, you should block traffic from the internet-facing network to the rest of your network and treat it as potentially untrusted.
The reverse is also true. The typical Windows PC is much more prone to being breached than a reasonably well managed Linux server.
Reverse Proxy as much as you can so you only have one port, I haven’t found anything I haven’t been able to even Plex, but haven’t done a game server other then minecraft.
Whitelist Geoip location, use crowdsec
I haven’t bothered with network segregation I used too but then revaluated and just realized it wasn’t worth it for me.
Removed by mod
Removed by mod
I recommend putting public-facing devices on a separate VLAN, and run as much as possible through a reverse proxy, to only have a single port open. Network monitoring is important too.
