Do you maybe have any suggestions for starting points in network/server security?

This is a deep question. I would start by Googling “cybersecurity best practices for business” and read/watch some videos. I can reply later with some more detail on your other questions.

Is plugging a switch between the Huawei and two routers, and some configuration, really all that’s necessary? Does it work like that at all?

Technically, yes. This is pretty common in enterprise. In fact, on my second internet connection here at home (used for work) I have 13 static public IPs, and I use them for testing configurations. The connection comes into my core switch, allowing me to put any number of firewalls “on the WAN” without opening any of my internal network to that traffic.

Wouldn’t a malicious party be able to cross through the static IP connection into my LAN via the switch?

No, because connected to the switch are two separate NAT routers/firewalls.

Do I have to look for anything specific for the switch, DHCP support or anything like that?

No, all I would look for is a layer 2 switch. Any of those little Netgear/TP-Link/etc five port jobs will do it for you.

Are there any other pitfalls that I don’t yet know about or might have missed?

Yes: security. There is no way in hell I would expose anything intentionally to the internet with just a consumer router in the way. In your case, this is doubly important because you are coming at this from a lack of knowledge. There’s nothing wrong with lacking knowledge – we’re not born knowing anything. It’s just far too easy to inadvertently open yourself up to attack.

To keep the private parts of the server private, do I install another network card in it, then run a cable from the router that is going to be configured for dynamic IP, and configure the VMs to be accessible only via that network interface? Is it possible and is it safe?

Without knowing the rest of your network topology, I want to say this is a soft “yes”. Again, I do this: my VM host’s network configuration includes the VLAN that leads to my business ISP. I can put a VM (e.g., a firewall VM) on the ISP VLAN and then put other VMs “behind” it on another VLAN. This forces the traffic to pass through the firewall and keeps the rest of the network secure.

Make sure you understand what’s happening before exposing anything internal to the network, and that includes your host’s network configuration.

Would it be better/safer to run a separate dedicated machine for public hosting, entirely apart from my home server?

In your case, this is what I would do. You don’t need much. If you check out Level1Techs or ServeTheHome, they’ve been doing tons of reviews on little mini PCs that would be perfect for this job. You could install Proxmox on them and use a virtual firewall distro like pfSense along with a few VMs to serve up. Just be careful about how you connect that host to the rest of your network for management.

Alternatively, consider one of the low-cost cloud hosted solutions. I used DigitalOcean often for small projects I needed exposed to the internet. For $5-10 per month, you get a VM you can work with and expose absolutely none of your home network until you’re confident you can secure it.

That’s historically how east-west would be mediated within an enterprise environment for devices incapable of being secured with agents.

Absolutely, and I’ve implemented similar east-west controls (as either prevent-first or for detection). You’ll get no argument from me on that. I’m just noting an interesting trend as IoT devices become more ubiquitous in commercial and industrial environments, and some of those devices must (for whatever reason) have access to some part of the network or internet.

I watch networkchuck on occasion, but some of his ideas are… questionable I think. Not necessarily wrong, but not the “YOU MUST DO THIS” that his titles suggest (I get it, get clicks, no hate).

Of the ideas you mentioned, (2), (3), (4), and (5) are somewhere between “reasonable” and “definitely”. The rest are either iffy (unattended updates) or security theater (disable ICMP, change ports).

Something to keep in mind for step (2), securing SSH login with a key: this is only as secure as your key. If your own machine, or any machine or service that stores your key, is compromised then your entire network is compromised. Granted, this is kind of obvious, but just making it clear.

As for security theater, specifically step (6). Don’t disable ping. It adds nothing to security and makes it harder to troubleshoot. If I am an attacker in a position for ping to get to an internal resource in the first place, then I’m just going to listen for ARP broadcasts (on same subnet) or let an internal router do it for me (“request timed out” == host is there but not responding).

They can’t even have an antivirus agent installed on them.

That’s actually no longer true… kinda. You can’t install AV on them, but there are security companies filling the niche of embedded IoT security. Now, you won’t see this in your average consumer device, but on the commercial market there is a growing demand for some way to secure an embedded device from malicious software/firmware modifications.