Intro to Firewall

IQ Server | Reading time: 6 minutes

Is this article helpful?

Table of contents

Welcome to a brief introduction to Nexus Firewall. The term firewall usually refers to a network firewall which inspects and blocks network traffic based on a set of rules. The Nexus Firewall applies this concept to repository management. In this guide you will learn what Nexus Firewall does, what problem it solves, and the benefits of using it.

Before diving into Nexus Firewall, it might be helpful to know a bit about the Software Development Lifecycle, DevOps, and Nexus Repository Manager. Check out the resources below to get started.

What is Nexus Firewall?

The Nexus Firewall is a tool that prevents bad components from entering your software supply chain through Nexus Repository Manager. When a developer downloads a new component, Firewall checks that component and all its dependencies against a set of user defined policies. Any component or dependency that violates one of these policies is blocked from your repository. Blocked components are quarantined for manual review and approval if necessary. Policies can filter out components based on security risk, license risk, component age, and many other features. This is the same idea as a network firewall, only instead of blocking unwanted web traffic, Nexus Firewall blocks bad components from your repository.

Firewall is powered by Sonatype’s IQ Server a management and automation platform for the software supply chain. It acts as the brain for Nexus Firewall, providing detailed information about open source components including both public CVSS scores and Sonatype’s own research. IQ Server acts as the central hub for setting policies and reviewing Firewall policy violations.

Why Do I Need A Firewall?

According to Sonatype’s State of the Software Supply chain survey, 80% of software applications use open source components. And this number is growing. Open source software lets companies leverage work done by other programmers, saving time and money. OSS lets developers focus on building products instead of working on solved problems. The result is open source saves time and money.

But adding open source components has risks. There are bad components with known security vulnerabilities or restrictive licenses. Adding these components to a project can create trouble downstream. Even minor vulnerabilities can cause major problems when combined with other security exploits. Identifying good open source components is a challenge. New vulnerabilities are discovered all the time and many open source components rely on other components. These dependencies may have their own vulnerabilities and dependencies. According to research from the University of Darmstadt, 40% of all NPM packages rely on code with known vulnerabilities. These nested dependencies make vetting components a lengthy and difficult process. In recent years, open source components have become a common vector in software attacks such as the Equifax data breach and the Solar Winds hack. This isn’t to say that open source components are bad, but it’s critical to vet components before adding them to a project. Firewall makes this process easy by automating discovery for bad components and keeping risky components out of your repositories.

What are the benefits of Nexus Firewall?

In order to release stable, secure code faster, it’s vital to make informed decisions about security at the beginning of the development cycle. One of the principals of the Toyota Production System, which heavily influenced the DevOps ideology, is the right process will produce the right results. Firewall aims to improve the software development process by shifting security decisions to the very beginning of the development process. Organizations that adopt Nexus Firewall can expect their software to be more secure and see development, security, and legal teams all save time.

Improve Security

  • IQ Server’s data goes beyond publicly available data to provide the best possible information about component security, allowing teams to make better decisions about components
  • Preventing bad components before they are added to a repository or project means that fewer security vulnerabilities make it into production
  • If a component with a known vulnerability must be used, its flaws are identified at the beginning of the development process - allowing teams to ensure that the known vulnerability can’t be exploited
  • Automated security analysis means only necessary risks are allowed into a repository

Save Time

  • Security teams save time by automating discovery of security vulnerabilities in components and automatically blocking bad components
  • IQ Server also provides a list of policy violations in the repository which makes it easy to track known bad components
  • Developers are spared rework after security reviews, as fewer security risks enter a project. This allows developers to spend their time developing better products
  • Legal teams get many of the same benefits as the security team. Components with potential legal risk are blocked from entering company software and components with risky, or non-standard, licenses are automatically identified

What doesn’t Firewall do?

Keep in mind Nexus Firewall is not designed to solve all issues in a software supply chain. It’s designed to keep bad components from entering your software. Governing the entire software supply chain is handled by the Nexus Lifecycle, which is also available in IQ Server.

The Nexus Firewall does not:

  • Quarantine components already added to a repository
    • This is intentional. Removing components already in use could break builds and create problems for developers. Components already inside a repository can be managed using Nexus Lifecycle.
  • Provide guidance on setting policies
    • Every organization has different needs and wants. All of our tools, including Firewall, are impartial regarding policy. Firewall does provide default policies for convenience.

How do I get Started?

To get started check out our Firewall Quick Start guide.

Additional Resources