[iloveponies]

2FA and VPNs are not exclusively the only way to secure things. X.509, bastion servers, airgaps that require physical access to a secure facility etc are also valid options, dependent on your systems and their configuration.

[jumby]

Granted, but an airgap would make working with some internal support tool a bit cumbersome :)

Bastion servers if properly firewalled might be OK for a short term solution. The concern there is if you allow unfettered ssh (for example) is someone watching for the inevitable brute-forcing that will ensue?

[iloveponies]

Mandatory SSH keys mitigates the brute forcing risk, and turns it into a nuisance. My employer presently has this arrangement and has done so for a while. Bastions only get you in the door: different entrances for different environments, users keys are only propagated to the machines they need.

[jumby]

Roger that. I keep thinking of my customer support people as non-technical and for whom ssh keys, port forwarding & bastion hosts are way over their heads but your point is taken. There are other (cheaper!) ways to secure an internal network.

[oomkiller]

Disable login via password, install fail2ban to help with the extra overhead/traffic.

[bolder88]

If you have ssh running anywhere, please disable password access. Use keys. It should come installed like that.