Auto-Quarantine and Release for Firewall

IQ Server | Reading time: 6 minutes

Is this article helpful?

Table of Contents

Prerequisites

Before diving into Firewall’s new features, you need an instance of Nexus Repository Manager Pro connected to Nexus Firewall. You also need a valid Firewall license. Your repository manager must allow Firewall to block and quarantine components to use the newly introduced malware identification and quarantine features. This initial installation is beyond the scope of this guide. Check out the links below to get started.

Getting Started Resources:

Firewall - Your First Line of Defense

Modern software supply chain attacks are becoming more sophisticated and striking earlier in the software development lifecycle (SDLC). Instead of searching for software vulnerabilities, bad actors create their own and work to get these components into your software. By the time these security vulnerabilities are discovered it’s often too late. Nexus Firewall is your first line of defense against dangerous components by blocking bad components before they enter your SDLC.

Nexus Firewall checks all components entering a repository manager for known security vulnerabilities and other policy violations as they are downloaded. Components with severe violations can be blocked and quarantined until they’re manually released, usually by your organization’s security team. This approach makes it safe and easy for teams to introduce new components. Developers can download components with no policy issues immediately, without a manual review. Security teams only need to review the components with issues before adding them to a project.

We’ve introduced powerful new features to Nexus Firewall that protect software supply chains from newly released components and make it easier to bring in safe components. These new tools flag suspicious and malicious components as they are released, protecting your organization from bad actors and undiscovered problems in new releases. Additionally, Firewall can automatically release components from quarantine as Sonatype’s research team identifies more information about the component.

Safe from the Very Beginning

To keep up with new software supply chain attacks, we added some new capabilities and workflows to Nexus Firewall that work together to provide greater security for all inbound components.

Nexus Firewall Automatic Quarantine Workflow

New Firewall Features:

  • Flag Potential Malicious Components - Sonatype’s AI and Machine Learning tools look for and flag unusual component behavior and identify suspicious releases. This identifies potentially dangerous components as soon as the component is published. Firewall looks for new components flagged with an Integrity Rating of Suspicious or Malicious. The suspicious designation is temporary and applies to components that have not been reviewed by Sonatype’s research team. The research team will review these components for security and legal risks, then update the component’s integrity rating.
  • Automatic Quarantine - Components with a Suspicious or Malicious integrity rating will be automatically placed in quarantine. This blocks suspicious components from entering your supply chain until they’re identified as safe.
  • Automatic Release - Components are automatically released from the quarantine once they’ve been reviewed and deemed safe by the Sonatype research team. Harmful components remain in quarantine. Auto-release is policy dependent, meaning a component deemed safe by the research team, but violates other policies, will remain quarantined.

Flag Suspicious and Malicious Components

Each new component release is screened using Sonatype’s AI and Machine Learning tools. These tools look for behavior that is unusual or suspicious in each release. Components with any irregularities are flagged with an Integrity Rating of suspicious. Our dedicated security research team investigates these components for any malicious behavior or newly introduced vulnerabilities and then updates the component’s Integrity Rating. By screening components when they are released, Firewall is able to dramatically reduce risk from new components and reduce the burden of reviewing new components on security teams.

Installing a Firewall license automatically creates a new policy called Integrity Rating. This policy looks at a component’s Integrity Rating to determine the component’s safety and prevents components rated Suspicious or Malicious from entering the repository. This helps protect your organization from the zero-day problem. Rather than waiting to see if a component has any vulnerabilities, Firewall will flag components that could be potentially harmful until they are proven safe.

Automatic Quarantine & Automatic Release

By default the Integrity-Rating policy is set to automatically block any suspicious component from entering your proxy repository. The automatic quarantine will check every 24 hours to see if the status of a component has changed. If a component is deemed safe, Firewall will automatically release the component into the proxy repository. This is designed to minimize friction for developers and reduce the burden on security teams. With automatic release enabled, there’s no need to monitor components still being reviewed by Sonatype’s research team, as they will be released or quarantined automatically. Auto Release can also be turned on for some other policy violation types to further streamline the component request process. License, License Threat Group, Security Vulnerability Severity, and Security Vulnerability Category violations can be enabled to auto-release components from quarantine, as these four groups are likely to change as the component is researched.

Configuration & Use

Installing the Firewall License

To install your license:

  • Navigate to your installation of IQ Server and log in.
  • Click on the Cog icon in the upper righthand corner to open the System Preferences Menu.
  • Select Product License from the list.
  • Select Install or Update License
  • Select your license file and click ok.

Installing your license automatically creates a new policy called Integrity-Rating. Automatic quarantine and automatic release are enabled by default.

If you need to disable the automatic quarantine behavior in the future, you can edit the Integrity-Rating policy to allow these components into your repository.

Disabling Automatic Quarantine

Enforcement for blocking suspicious and malicious components is enabled by default to secure your software supply chain. If you need to disable the automatic quarantine behavior in the future you can edit the Integrity-Rating policy to allow these suspicious components.

To disable auto-quarantine:

  1. Navigate to IQ Server and log in.
  2. Select Orgs and Policies from the Sidebar.
  3. Select the policy called Integrity Rating.

    Warning:
    Your installation might name the policy Integrity-Rating-1 if you already have a policy named Integrity-Rating. The policy for Firewall will have set the Proxy Stage to fail.

    Firewall integrity rating policy

  4. Select No Action or Warn for the Proxy stage in the Actions section.

  5. Click Update

Changing Automatic Release Settings

To Change the Automatic Quarantine Release Settings:

  1. Navigate to IQ Server and log in.
  2. Select Firewall from the sidebar.
  3. Select Configure under the Auto Release From Quarantine Status.
  4. Use the toggle switches to enable or disable automatic quarantine release for supported policy types.
  5. Click Save Changes.

Automatic release configuration settings.

Viewing the Auto-Release Log

To View the Components Auto-Released from Quarantine:

  1. Navigate to IQ Server and log in.
  2. Select Firewall from the sidebar.
  3. Select View Auto Release Quarantine under the Auto Released from Quarantine section.

Note: This section is not a vulnerability report. It only lists components automatically released from quarantine for tracking purposes.

Additional Resources