Sophos For Chromebook

admin



Sophos For Chromebook

Learn how to configure XG Firewall to sign in Chromebook users to XG Firewall at the time they sign in to their Chromebook.

Sophos Central is the unified console for managing all your Sophos products. Sign into your account, take a tour, or start a trial from here. Security company Sophos recommends customers using the Sophos Authentication for Thin Clients, or SATC, to delay the update to the latest version of Google Chrome and Microsoft Edge due to.

Sophos Chromebook User Id

Objectives

When you complete this unit, you’ll know how to do the following:
  • Configure an Active Directory server in XG Firewall for use with Google Chrome Enterprise.
  • Configure a Chromebook for use with XG Firewall.
  • Configure Google Chrome Enterprise for use with XG Firewall.

Configure Chromebook SSO with Active Directory

First configure XG Firewall.

  • Your Active Directory server is already configured for use with G Suite and synchronization has taken place.
  • You know how to configure an Active Directory server in XG Firewall.
  • You know how to create or import certificates.
  • You know how to create firewall rules.
  • Chromebooks can connect to the network controlled by XG Firewall, for example, LAN or Wi-Fi.
  1. Create an Active Directory server.
    The Chromebook users in the AD must have email addresses that use the domain registered with G Suite. For example, if your registered domain is example.com, AD Chromebook users must have an email address like user@example.com.
  2. Change device access to allow Chromebook SSO.
    Go to Administration > Device access and select Chromebook SSO for the zone where the Chromebook users are allowed to connect from, for example, LAN and Wi-Fi.
  3. Create or import a valid certificate.
    Note The CN must match the zone and network where the Chromebook users are, for example, gateway.example.com.

    The certificate must not be protected by a passphrase.

    The certificate is used for SSL-encrypted communication with the Chromebooks.
  4. Go to Authentication > Services > Chromebook SSO, enable the Chromebook SSO feature and specify the following settings:
    Domain
    The domain as registered with G Suite, that is, the domain suffix of the email addresses used in G Suite, for example, example.com. This can be different from your Active Directory domain.
    Port65123
    CertificateThe certificate created/imported above
    Logging levelSelect the amount of logging
  5. Click Download G Suite app config.
    This will download a JSON file that you need to paste into G Suite later.
  6. Open the file with a text editor, enter a value for serverAddress (LAN or DNS IP address of XG Firewall), and save.
    Server address must match the certificate’s CN, for example, 10.1.1.1.
  7. Create firewall rules.
    1. Create a User/Network rule to allow Google API and Chrome Web Store communication for all devices. This is necessary to push the app to the Chromebooks:
      • Source zones, for example: LAN, Wi-Fi
      • Destination zones, for example: WAN
      • Destination networks: Select the predefined FQDN host groups Google API Hosts and Google Chrome Web Store.
    2. Create a User/Network rule to match known users and to show the captive portal to unknown users to allow internet access to Chromebooks:
      • Source zones, for example: LAN, Wi-Fi
      • Destination zones, for example: WAN
      • Identity: Select the following options: Match known users, Show captive portal to unknown users

      Sort both rules so that rule a) is applied before rule b).

      If you don’t select Show captive portal to unknown users in rule b), we recommend that you create another network rule c) to avoid possible waiting time when contacting the Chrome Web Store.

    3. Create a User/Network rule with the following settings:
      • Rule type: Reject
      • Source zones, for example: LAN, Wi-Fi
      • Destination zones: WAN

      Place the rule at the bottom of the list so that the rule is applied last.

Google has discovered a serious flaw in a Chromebook security feature which allows owners to press their device’s power button to initiate U2F two-factor authentication (2FA).

Known as the ‘built-in security key’, the experimental feature was first enabled for Google PixelBooks last summer. Since then, it has quietly been embedded on numerous Chromebooks that have the necessary H1 CR50 chip inside them, including many made by Dell, HP, Acer, Samsung, Asus and Lenovo. A full list of affected devices is available on Google’s website.

We say ‘quietly’ because it’s unlikely many owners beyond developers have even heard of the feature, let alone used it to authenticate themselves when logging into a website.

For those who have, the feature is appealing – instead of waiting for an SMS onetime 2FA code, or generating one using an app, or even plugging in a hardware security key such as Google’s own Titan, Chromebook users can achieve the same with a short press of the power button.

Unfortunately, a vulnerability has been discovered in the system that makes this work, specifically the generation of an Elliptic Curve Digital Signature Algorithm (ECDSA) signature by H1 chips running v0.3.14 firmware and earlier. Google said:

We confirmed that the incorrect generation of the secret value allows it to be recovered, which in turn allows the underlying ECC private key to be obtained.

Which means that an attacker could work out the private key, completely undermining what is supposed to be a fundamental security feature.

Google believes the chances of this happening when users have logged into real websites is small given that communication with the website should have happened over HTTPS. However, that doesn’t rule out that weakly generated signatures might have been stored in a vulnerable state on Chromebooks themselves.

Ironically, Google thinks that the one thing that stands in the way of such a second factor compromise is the security of the first factor, namely the password and username.

While true, it’s hardly a ringing endorsement of Google’s technology that it can be rescued by passwords.

What to do

Sophos For Chromebook Windows 10

Chrome OS v75 will automatically install version 0.3.15 of the firmware, which contains the fix for this issue. If you don’t use the built-in security key feature, that’s all you have to do.

If do use the security key feature, then you have some work to do after updating the operating system.

Sophos For Chromebook

Old key pairs generated before the update are still vulnerable, so you have to de-register the built-in security key from every website on which it’s being used for authentication, and then re-register it with a fresh key pair.

Should you trust this feature going forward?

Not everyone thinks it’s a good idea to build the U2F security function into devices in this way when there is a proven secure alternative – use a separate hardware key. That said, 2FA provides such a significant boost to security over simply using usernames and passwords that even flawed or imperfect 2FA solutions are much better than no 2FA at all.

Google says it is improving the security of the technology, which is still in the test phase of its development.

Graveyard shift

This vulnerability dovetails interestingly with that other Chromebook controversy of the moment – Chrome OS end of life.

Recently, owners who bought their Chromebooks between 2013 and 2016 have started seeing the following unexpected message after an update:

This is the last automatic software and security update for this Chromebook.

Google calls this moment ‘Auto Update Expiration’, a 2017 rebranding of the previous and more explicit description, Chromebook ‘end of life’.

It often comes as a shock to owners, who hadn’t realised that Chromebooks only receive software for a maximum of 6.5 years, that they might have to stop using their perfectly functioning computer or continue using it in an increasingly insecure state.

Sophos Vpn Client For Chromebook

The clock starts ticking not when the Chromebook was bought but when the platform on which it is based first appeared on the market, which might be years before purchase, and in some cases a while before the specific model appeared.

Sophos For Chromebook Windows 10

The issue here is what would happen if a big flaw such as built-in security key vulnerability was discovered in a Chromebook beyond its end of life at some point in the future.

The lesson is clear – carefully check the lifespan of any Chrome OS device before buying it.