Yes and no. At a theoretical level this is absolutely right. If you have a multi person dedicated security team, why not. This is not the kind of content I’m going to push from here.
I wager that the added benefit of most bastion deployments in smaller shops are subtracted by poor maintenance, poor log monitoring and general lack of expertise. I also propose that this sense of security often leads to having a soft core network and relying on the edge defences, and that those edge defences can very well become a staging ground for poking your internal network.
I don’t disagree that a managed pfsense instance or equivalent provides adequate protection. My opinion is that a lot of people are deploying their own bastions because the internet is flooded with tutorials and that they are unnecessary and increasing the attack surface while spreading security complacency.
I hate bringing up costs but a truly managed, always patched, bastion instance + the required NAT gateway will also run up your costs. Does it matter at 20k spending? Maybe not. Does it matter at $100 spending? Yup. In our own case this was not a driving factor, but I see a diverse set of clients as a consultant, so I respect the issue.
We, as developers and IT professionals, will always complain that management will have to pay what it takes and we shouldn’t be saving $100 on services here and $200 there. But it all adds up, and we tend to forget that we are not (all) hired to build technological hangar ships. We are hired to make the company money. That’s it, bottom line. Should we throw all knowledge out the window? Definitely no! But I would like to challenge the conventional approach in general and make people think closely about if they can get 80% the result for 20% the effort/cost. We are about solving problems, it’s what we are good at – we just need the right angle!
Most threat models are quite simple and can be summed up to the general “curious” internet, automated attack bots and maybe your neighbouring company if their 17 year old is a tech savvy future programmer and you are running old versions of Wordpress. You won’t experience real APT’s unless you are a (real) high profile target, and then you should have a dedicated security team and ignore all advice in this post. For context, our corporation average around $600k net profit globally (revenue numbers undisclosed) and we don’t consider our team high profile by any means. I’m way more worried about the OpSec of the people and their devices that I would ever be about not having a bastion.
You don’t need the ability to authenticate your connections twice in the scenarios a small to mid sized company is likely to experience. If you are probably updating and hardening all your servers, shipping logs externally, using public key authentication (add 2fa if you want) and further limiting access by source IP for a specific period of time before requiring a new “opening”, you will be just fine.
Lots of machines on the internet survive on automated updates, public key auth and port 22 open to everybody. Now you’ve added source filtering.
Do you really need the rest of the security onion?