[Bluecobra]

> This is intended for small teams that need to expose the local development environment to the public internet

As someone who has to manage enterprise firewalls, this is a nightmare from a security perspective. I’m more than happy to host some project in a DMZ. I have already had some devs skirt our security policies with ngrok rather than simply talk to us about their needs. I can’t say I’m a fan of punching permanent holes into a firewall like this.

[Timon3]

I understand your perspective, it's absolutely right to insist on security in a corporate environment. I have also seen the other side as a developer and saw it happen a number of times. Understanding why it seems tempting to developers is probably the best way to fully get rid of it (although you might be doing so already, probably no way to fully get rid of the problem). The reasons I've seen usually were:

- Undocumented or unknown processes. Many enterprises have a discoverability problem regarding almost all information, and as somebody that frequently required some special support for my work, it often took shockingly long to find a person who knew how to find the information in the respective intranet. It's important that not only are the services available, they also must be discoverable and known.

- Complicated processes. A portion of developers that require these services are using them for the first time, or have used them without fully understanding and considering the implications. If the process for requesting support is too complicated (e.g. requiring a form where you either require very detailed information without assistance on how to find it, or - the worst case - a form with fields where the people responsible say "oh, just fill it with random stuff to keep going") it will make some people choose the less secure way to get going with work.

- Long processes. If a developer wants to use such a service and it takes weeks to months to receive support (e.g. overload of tickets, or the only person responsible is on vacation) it sometimes leaves little to no choice.

But again, definitely not advocating for circumventing security!

[mukesh610]

Not exactly sure how streamlined your security process is, but for some orgs it is a red tape roller coaster to even get one TCP port open.

Anyways, you could also block all traffic to ngrok servers just to ensure your Dev teams aren't skirting around your firewall.

[Bluecobra]

Yeah I get it, but everyone needs to be responsible for security as well. Look what happened with Lastpass. I can totally see someone doing something silly like exposing a device with default creds like a MySQL db on a production box, then forgetting about it and getting a new job a year later.

I do block proxies like this, but it’s hard to block every little thing.

[alexnewman]

I remember when I believed in bastions and DMZ. Many companies have given up on this due to the fact that it can only be enforced by policy and not by tech

[IceWreck]

Ngrok is just one company tho, there are thousands of ways. Wireguard or nebula can be selfhosted and another server with an actual port open will forward traffic. People can use SSH's reverse port forwarding too.

Or you can use cloudflared or another one of ngrok's competitors.

[capableweb]

> > This is intended for small teams

> As someone who has to manage enterprise firewalls

Clearly not intended for you, as the quoted part tells you outright who it is intended for.

[ako]

There are many small teams within large enterprises, one does not exclude the other…

[Bluecobra]

I think it’s a bit naive to believe that would stop someone from using this. Some new employee literally tried to install a CD crack on a work computer for some game just the other day.