Managing software in complex network environments: the Snap Store Proxy
Holly Hall
on 15 January 2024
Tags: IoT , Snap proxy , snap store , snapcraft.io , Snaps
As enterprises grapple with the evolving landscape of security threats, the need to safeguard internal networks from the broader internet is increasingly important. In environments with restricted internet access, it can be difficult to manage software updates in an easy, reliable way. When managing devices in the field, change management and compliance policies can introduce even more complexity to the update process. You can solve these challenges using snaps and the Snap Store Proxy.
What are snaps?
Snaps are containerised software packages that work across a wide range of Linux distributions. They are secure, highly portable and isolated from the underlying system, ideal for a broad range of use cases across desktops, servers, cloud and IoT.
Automatic updates are a central feature of snaps, ensuring that users always benefit from the latest version of software and improving security through rapid patching of vulnerabilities. Using the Snap Store, snaps can be published via a low-friction process and automatically updated on users’ systems.These updates ordinarily require an unrestricted network connection.
Updating snaps in restricted networks
Restricted networks either do not have access to the wider internet or the access that they have is limited to certain connections. Isolating networks is important in an enterprise environment for both security and convenience reasons.
However, when considering software updates, it can often be complex to manage the flow of data across different networks. It is important to have confidence in the technology that is used to deliver updates, to ensure that all security vulnerabilities are patched frequently in any network environment.
To solve this issue, we have created the Snap Store Proxy – an on-premise edge proxy to the global Snap Store. The Proxy is a software that users can run in their DMZ (a designated part of the network that is allowed external internet access) to proxy requests from their devices behind the firewall, to the Store.
The Snap Store Proxy – how it works
The Snap Store Proxy makes it possible to run snaps from within sub-networks and from behind corporate firewalls. Additionally, the Snap Store Proxy creates a local cache of downloaded files, which could potentially be quite large, speeding up any further downloads and minimising bandwidth usage.
Simple diagram showing how the Snap Store Proxy intercepts and re-writes the response from the upstream store, potentially pointing to a different version.
Integrity of the downloaded snap files is guaranteed through hashing signatures that are built into the design of snaps and implemented in snapd and the Snap Store. The Snap Store Proxy does not alter these signatures, ensuring that the chain of trust is always complete. You can read more about snaps and their design in the documentation.
In some situations, devices must run in a completely air gapped environment. This means that there is no connection to the internet. In these cases, it is still crucial for software to receive software and feature updates to keep devices patched and secure. However due to the lack of internet connection, it may be more difficult to deliver upgrades. The Snap Store Proxy can be operated in offline mode, meaning that snap updates can be sideloaded and manually transferred to the device. This allows software on air gapped devices to remain secure, up-to-date and feature-rich.
Align with enterprise policies through release management
Updating software can be problematic in environments that have external influences in change control and management. This is relevant in regulated industries such as manufacturing or pharmaceuticals. Complete control over updates and management of software is required in these environments, along with an auditable, provable record of any changes. With its override capability, the Snap Store Proxy allows configured devices to remain on a specified revision, no matter what revision has been released upstream.
The Snap Store Proxy grants enterprises greater control over software updates, offering a solution that balances security, compliance, and operational efficiency in diverse network environments.
Find out more
IoT as a service
Bring an IoT device to market fast. Focus on your apps, we handle the rest. Canonical offers hardware bring up, app integration, knowledge transfer and engineering support to get your first device to market. App store and security updates guaranteed.
IoT app store
Build a platform ecosystem for connected devices to unlock new avenues for revenue generation. Get a secure, hosted and managed multi-tenant app store for your IoT devices.
Newsletter signup
Related posts
Space pioneers: Lonestar gears up to create a data centre on the Moon
Why establish a data centre on the Moon? Find out in our blog.
Canonical announces public beta of optimized Ubuntu image for Qualcomm IoT platforms
Today Canonical, the publisher of Ubuntu, and Qualcomm® Technologies announce the official beta launch of the very first optimized image of Ubuntu for...
EdgeIQ and Ubuntu Core; bringing security and scalability to device management
Today, EdgeIQ and Canonical announced the release of the EdgeIQ Coda snap and official support of Ubuntu Core on the EdgeIQ Symphony platform. EdgeIQ Symphony...