Granted, but an airgap would make working with some internal support tool a bit cumbersome :)
Bastion servers if properly firewalled might be OK for a short term solution. The concern there is if you allow unfettered ssh (for example) is someone watching for the inevitable brute-forcing that will ensue?
Mandatory SSH keys mitigates the brute forcing risk, and turns it into a nuisance. My employer presently has this arrangement and has done so for a while. Bastions only get you in the door: different entrances for different environments, users keys are only propagated to the machines they need.
Roger that. I keep thinking of my customer support people as non-technical and for whom ssh keys, port forwarding & bastion hosts are way over their heads but your point is taken. There are other (cheaper!) ways to secure an internal network.
Bastion servers if properly firewalled might be OK for a short term solution. The concern there is if you allow unfettered ssh (for example) is someone watching for the inevitable brute-forcing that will ensue?