[mukesh610]

Not exactly sure how streamlined your security process is, but for some orgs it is a red tape roller coaster to even get one TCP port open.

Anyways, you could also block all traffic to ngrok servers just to ensure your Dev teams aren't skirting around your firewall.

[Bluecobra]

Yeah I get it, but everyone needs to be responsible for security as well. Look what happened with Lastpass. I can totally see someone doing something silly like exposing a device with default creds like a MySQL db on a production box, then forgetting about it and getting a new job a year later.

I do block proxies like this, but it’s hard to block every little thing.

[alexnewman]

I remember when I believed in bastions and DMZ. Many companies have given up on this due to the fact that it can only be enforced by policy and not by tech

[IceWreck]

Ngrok is just one company tho, there are thousands of ways. Wireguard or nebula can be selfhosted and another server with an actual port open will forward traffic. People can use SSH's reverse port forwarding too.

Or you can use cloudflared or another one of ngrok's competitors.