I currently have several VLANS (management for network devices, iot for smart devices, infra for security cameras and NAS, one for personal devices, anothe for guests, etc.
Currently I’m hosting a game server which is exposed to the outside world and am thinking of adding a couple more similar services.
Is it best practice to put such machines on their own isolated VLAN to minimize their attack surface?
Yes, it is generally a good idea to put internet-facing servers on a network that is separated from the local network. The point of this is not to minimize their attack surface (since they are already connected to the internet after all) but to prevent them from being used as a stepping stone for attacks on your internal network. To make this effective, you should block traffic from the internet-facing network to the rest of your network and treat it as potentially untrusted.
The reverse is also true. The typical Windows PC is much more prone to being breached than a reasonably well managed Linux server.
Reverse Proxy as much as you can so you only have one port, I haven’t found anything I haven’t been able to even Plex, but haven’t done a game server other then minecraft.
Whitelist Geoip location, use crowdsec
I haven’t bothered with network segregation I used too but then revaluated and just realized it wasn’t worth it for me.
Here is my quick list for outward facing servers:
- Isolate them from your main network. If possible have then on a different public IP either using a VLAN or better yet with an entire physical network just for that - avoids VLAN hopping attacks and DDoS attacks to the game server that will also take your internet down;
- If you’re using VLANs then configure your switch properly. Decent switches allows you to restrict the WebUI to a certain VLAN / physical port - this will make sure if your server / IoT devices are hacked they won’t be able to access the Switch’s UI and reconfigure their own port to access the entire network. Note that cheap TP-Link switches usually don’t have a way to specify this;
- Only expose the game server service to the Internet. Everything else such as SSH, configuration interfaces and whatnot can be moved to another private network and/or a WireGuard VPN you can connect to when you want to manage the server;
- Use custom ports with 5 digits for everything - something like 23901 (up to 65535) to make your service(s) harder to find;
- Disable IPv6?
- Use nftables / iptables / another firewall and set it to drop everything but those ports you need for the game sever and the management VPN access to work;
- Use your firewall to restrict what countries are allowed to access your server. If you’re just doing it for a few friends only allow incoming connection from your country (https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching)
Realistically speaking if you’re doing this just for a few friends why not require them to access the server through WireGuard VPN? This will reduce the risk a LOT and won’t probably impact the performance. This is a decent setup guide https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-debian-11 and you might use this GUI to add/remove clients easily https://github.com/ngoduykhanh/wireguard-ui.
I really would love to know what’s the downvote about.
I recommend putting public-facing devices on a separate VLAN, and run as much as possible through a reverse proxy, to only have a single port open. Network monitoring is important too.