System/Network Security

As a security nerd, I am going to attempt to add value to this thread. Since updates are turned off, and there's a pretty wide attack surface, I've been thinking about how to keep my miner(s) isolated from the rest of my systems except for some remote access. Here are some initial thoughts:

- Without hardening the system, I need to put some network access control function/device between my user network and the miners.
  - I have an old broadband router that I can put them behind with the "internet side" facing my internal network.
    - Have the "broadband side" configured with a static IP address on my user network
    - Open TCP/22 (for ssh and scp) and redirect it to the first miner. You can use that one as a jump-box to get to the others
    - Open TCP/3389 (Windows Remote Desktop) and have that directed to a Windows box (old laptop perhaps) and use that as a jump-box for about anything
  - I actually have several actual firewalls (Forcepoint/Sidewinders and a Palo Alto Networks) that can segment the network for me, not to mention IPS, etc.
    - Open the same ports as above?

ASCII Network Diagram

Internet --> Main firewall --> User Network (where my workstations and servers are) --> Miner Firewall/Broadband-router --> Miner Network

Are there any recommendations on OS hardening you could recommend?