Exactly this.
Apart from anything else, why would you run a public-facing server on the same network as internal systems? If stuff inside your corporate network needs to be accessible from the public internet, it should be done via tightly controlled ports through a DMZ, tied down as much as humanly possible.
Do you want to get hacked? Because that's how you get hacked...