For package upgrades, Ubuntu uses unattanded-upgrades and the default configuration is to install all security upgrades within about a day from their release.
You can change the default to include the auto-installation of all upgrades, if you want to.
You can disable IP forwarding between the two NICs, and setup the router not to allow communication between them within the LAN.