I’m always surprised at the number of organizations that don’t use private VLANs on their public-facing servers. Private VLANs (A Cisco systems feature, but other manufactures have equivalents) prevent a compromised server from being used as jumping off point to attack other servers. It essentially isolates devices on a subnet so that they can talk to the network gateway, but not to other devices on the same subnet. Private VLANS can prevent your web server, for example, from being used to attack your mail server. It’s a simple configuration, and one that should be in your network administrator’s toolbox.