Managing software in complex network environments: the Snap Store Proxy

Holly Hall

on 15 January 2024

As enterprises grapple with the evolving landscape of security threats, the need to safeguard internal networks from the broader internet is increasingly important. In environments with restricted internet access, it can be difficult to manage software updates in an easy, reliable way. When managing devices in the field, change management and compliance policies can introduce even more complexity to the update process. You can solve these challenges using snaps and the Snap Store Proxy.

What are snaps?

Snaps are containerised software packages that work across a wide range of Linux distributions. They are secure, highly portable and isolated from the underlying system, ideal for a broad range of use cases across desktops, servers, cloud and IoT. 

Automatic updates are a central feature of snaps, ensuring that users always benefit from the latest version of software and improving security through rapid patching of vulnerabilities. Using the Snap Store, snaps can be published via a low-friction process and automatically updated on users’ systems.These updates ordinarily require an unrestricted network connection.

Updating snaps in restricted networks

Restricted networks either do not have access to the wider internet or the access that they have is limited to certain connections. Isolating networks is important in an enterprise environment for both security and convenience reasons.

However, when considering software updates, it can often be complex to manage the flow of data across different networks. It is important to have confidence in the technology that is used to deliver updates, to ensure that all security vulnerabilities are patched frequently in any network environment.

To solve this issue, we have created the Snap Store Proxy – an on-premise edge proxy to the global Snap Store. The Proxy is a software that users can run in their DMZ (a designated part of the network that is allowed external internet access) to proxy requests from their devices behind the firewall, to the Store. 

The Snap Store Proxy – how it works

The Snap Store Proxy makes it possible to run snaps from within sub-networks and from behind corporate firewalls. Additionally, the Snap Store Proxy creates a local cache of downloaded files, which could potentially be quite large, speeding up any further downloads and minimising bandwidth usage. 

Simple diagram showing how the Snap Store Proxy intercepts and re-writes the response from the upstream store, potentially pointing to a different version.

Integrity of the downloaded snap files is guaranteed through hashing signatures that are built into the design of snaps and implemented in snapd and the Snap Store. The Snap Store Proxy does not alter these signatures, ensuring that the chain of trust is always complete. You can read more about snaps and their design in the documentation.

In some situations, devices must run in a completely air gapped environment. This means that there is no connection to the internet. In these cases, it is still crucial for software to receive software and feature updates to keep devices patched and secure. However due to the lack of internet connection, it may be more difficult to deliver upgrades. The Snap Store Proxy can be operated in offline mode, meaning that snap updates can be sideloaded and manually transferred to the device. This allows software on air gapped devices to remain secure, up-to-date and feature-rich.

Align with enterprise policies through release management

Updating software can be problematic in environments that have external influences in change control and management. This is relevant in regulated industries such as manufacturing or pharmaceuticals. Complete control over updates and management of software is required in these environments, along with an auditable, provable record of any changes. With its override capability, the Snap Store Proxy allows configured devices to remain on a specified revision, no matter what revision has been released upstream.

The Snap Store Proxy grants enterprises greater control over software updates, offering a solution that balances security, compliance, and operational efficiency in diverse network environments.

Read the full whitepaper

Find out more

Contact us about your project 

smart start

IoT as a service

Bring an IoT device to market fast. Focus on your apps, we handle the rest. Canonical offers hardware bring up, app integration, knowledge transfer and engineering support to get your first device to market. App store and security updates guaranteed.

Get your IoT device to market fast ›

smart start logo

IoT app store

Build a platform ecosystem for connected devices to unlock new avenues for revenue generation. Get a secure, hosted and managed multi-tenant app store for your IoT devices.

Build your IoT app ecosystem ›

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

Space pioneers: Lonestar gears up to create a data centre on the Moon

Why establish a data centre on the Moon? Find out in our blog.

Canonical announces public beta of optimized Ubuntu image for Qualcomm IoT platforms

Today Canonical, the publisher of Ubuntu, and Qualcomm® Technologies announce the official beta launch of the very first optimized image of  Ubuntu for...

EdgeIQ and Ubuntu Core; bringing security and scalability to device management 

Today, EdgeIQ and Canonical announced the release of the EdgeIQ Coda snap and official support of Ubuntu Core on the EdgeIQ Symphony platform. EdgeIQ Symphony...