> This is intended for small teams that need to expose the local development environment to the public internet
As someone who has to manage enterprise firewalls, this is a nightmare from a security perspective. I’m more than happy to host some project in a DMZ. I have already had some devs skirt our security policies with ngrok rather than simply talk to us about their needs. I can’t say I’m a fan of punching permanent holes into a firewall like this.
I understand your perspective, it's absolutely right to insist on security in a corporate environment. I have also seen the other side as a developer and saw it happen a number of times. Understanding why it seems tempting to developers is probably the best way to fully get rid of it (although you might be doing so already, probably no way to fully get rid of the problem). The reasons I've seen usually were:
- Undocumented or unknown processes. Many enterprises have a discoverability problem regarding almost all information, and as somebody that frequently required some special support for my work, it often took shockingly long to find a person who knew how to find the information in the respective intranet. It's important that not only are the services available, they also must be discoverable and known.
- Complicated processes. A portion of developers that require these services are using them for the first time, or have used them without fully understanding and considering the implications. If the process for requesting support is too complicated (e.g. requiring a form where you either require very detailed information without assistance on how to find it, or - the worst case - a form with fields where the people responsible say "oh, just fill it with random stuff to keep going") it will make some people choose the less secure way to get going with work.
- Long processes. If a developer wants to use such a service and it takes weeks to months to receive support (e.g. overload of tickets, or the only person responsible is on vacation) it sometimes leaves little to no choice.
But again, definitely not advocating for circumventing security!
Yeah I get it, but everyone needs to be responsible for security as well. Look what happened with Lastpass. I can totally see someone doing something silly like exposing a device with default creds like a MySQL db on a production box, then forgetting about it and getting a new job a year later.
I do block proxies like this, but it’s hard to block every little thing.
I remember when I believed in bastions and DMZ. Many companies have given up on this due to the fact that it can only be enforced by policy and not by tech
Ngrok is just one company tho, there are thousands of ways. Wireguard or nebula can be selfhosted and another server with an actual port open will forward traffic. People can use SSH's reverse port forwarding too.
Or you can use cloudflared or another one of ngrok's competitors.
I think it’s a bit naive to believe that would stop someone from using this. Some new employee literally tried to install a CD crack on a work computer for some game just the other day.
As someone who has to manage enterprise firewalls, this is a nightmare from a security perspective. I’m more than happy to host some project in a DMZ. I have already had some devs skirt our security policies with ngrok rather than simply talk to us about their needs. I can’t say I’m a fan of punching permanent holes into a firewall like this.