As enterprises grapple with the evolving landscape of security threats, the need to safeguard internal networks from the broader internet is increasingly important. In environments with restricted internet access, it can be difficult to manage software updates in an easy, reliable way. When managing devices in the field, change management and compliance policies can introduce even more complexity to the update process. You can solve these challenges using snaps
What are snaps?
Snaps are containerised software packages that work across a wide range of Linux distributions. They are secure, highly portable and isolated from the underlying system, ideal for a broad range of use cases across desktops, servers, cloud and IoT.
Automatic updates are a central feature of snaps, ensuring that users always benefit from the latest version of software and improving security through rapid patching of vulnerabilities. Using the Snap Store, snaps can be published via a low-friction process and automatically updated on users’ systems.These updates ordinarily require an unrestricted network connection.
Updating snaps in restricted networks
Restricted networks either do not have access to the wider internet or the access that they have is limited to certain connections. Isolating networks is important in an enterprise environment for both security and convenience reasons.
However, when considering software updates, it can often be complex to manage the flow of data across different networks. It is important to have confidence in the technology that is used to deliver updates, to ensure that all security vulnerabilities are patched frequently in any network environment.
To solve this issue, we have created the Snap Store Proxy – an on-premise edge proxy to the global Snap Store. The Proxy is a software that users can run in their DMZ (a designated part of the network that is allowed external internet access) to proxy requests from their devices behind the firewall, to the Store.
The Snap Store Proxy – how it works
The Snap Store Proxy makes it possible to run snaps from within sub-networks and from behind corporate firewalls. Additionally, the Snap Store Proxy creates a local cache of downloaded files, which could potentially be quite large, speeding up any further downloads and minimising bandwidth usage.
Simple diagram showing how the Snap Store Proxy intercepts and re-writes the response from the upstream store, potentially pointing to a different version.
Integrity of the downloaded snap files is guaranteed through hashing signatures that are built into the design of snaps and implemented in snapd and the Snap Store. The Snap Store Proxy does not alter these signatures, ensuring that the chain of trust is always complete. You can read more about snaps and their design in the documentation.
In some situations, devices must run in a completely air gapped environment. This means that there is no connection to the internet. In these cases, it is still crucial for software to receive software and feature updates to keep devices patched and secure. However due to the lack of internet connection, it may be more difficult to deliver upgrades. The Snap Store Proxy can be operated in offline mode, meaning that snap updates can be sideloaded and manually transferred to the device. This allows software on air gapped devices to remain secure, up-to-date and feature-rich.
Align with enterprise policies through release management
Updating software can be problematic in environments that have external influences in change control and management. This is relevant in regulated industries such as manufacturing or pharmaceuticals. Complete control over updates and management of software is required in these environments, along with an auditable, provable record of any changes. With its override capability, the Snap Store Proxy allows configured devices to remain on a specified revision, no matter what revision has been released upstream.
The Snap Store Proxy grants enterprises greater control over software updates, offering a solution that balances security, compliance, and operational efficiency in diverse network environments.
Find out more
Discover more from Ubuntu-Server.com
Subscribe to get the latest posts sent to your email.