Advisory: Google's QUIC protocol bypasses scanning on Sophos XG Firewall

  • Article ID: 127719
  • Updated: 11 Feb 2020
  • 0 people found this helpful
  • Available in: English | Español | Italiano | 日本語 | Français | Deutsch

Overview

QUIC is an experimental networking protocol designed by Google to avoid latency and reduce network congestion. This article describes how to prevent Google's QUIC protocol from bypassing Web filtering of Google services including HTTPS Decryption, Sophos Sandstorm, Malware scanning and Content Filter scanning when accessing files in Google's Chrome Browser.

The following sections are covered:

Applies to the following Sophos products and versions
Sophos Firewall

What to do

There are three different methods for stopping QUIC Protocol from bypassing the firewall's normal scanning methods. Block on the client by disabling the QUIC Protocol in the Chrome Browser. Block using application control to stop the Application ID QUIC. We can also block QUIC by using firewall rules to stop UDP Ports 443 and 80. Whenever QUIC protocol is blocked by Firewall Rule, Application Control or on the client, Chrome will revert back to standard HTTP/HTTPS, so no services should be negatively impacted by these changes.

How to disable QUIC with Application Control

  1. Follow the steps in Sophos Firewall: How to block YouTube with Application Control to create an Application Filter.
  2. Replace references to YouTube with QUIC which should show with the following details:



  3. Add the Application Filter to the Firewall Rule.

How to block QUIC Protocol with Firewall Rules

Version 17.5

  1. Navigate to Firewall and click on + Add firewall rule.
  2. Give the Rule name.
  3. Fill out the source and destination for the zone and networks that you want QUIC dropped from.
  4. Under the Web malware and content scanning section, enable Scan HTTP and Block Google QUIC (Quick UDP Internet Connections).
    Note: The Block Google QUIC (Quick UDP Internet Connections) option will only be enabled if the Scan HTTP and/or Decrypt & scan HTTPS is enabled.
  5. Click Save.
  6. Make sure to place this firewall rule wherein it will hit the QUIC traffic and not be bypassed by other firewall rules. For additional information, please refer to Sophos XG Firewall: How to change firewall rule order.
    Example:

Older firmware version

  1. Navigate to Firewall and click on + Add Firewall Rule.
  2. Give the Rule Name a title and then change the Action to Drop.
  3. Fill out the source and destination for the networks that you want QUIC dropped from.
  4. On this page scroll down to Destination & Services > Services and click Add New Item.
  5. Click Create New and fill out the parameters as shown below:



  6. Save the new service definition.
  7. Apply the Service and then click Save.

    8.  
  8. Make sure the rule is at the top of the Firewall Rules list so that QUIC traffic is dropped first.

How to disable QUIC in Chrome

  1. Launch Google Chrome.
  2. In the Address Bar type: chrome://flags/
  3. Navigate to the flag labeled Experimental QUIC protocol Mac, Windows, Linux, Chrome OS, Android.
  4. Click on the drop-down menu below and then change it to Disabled.



  5. Click on Relaunch Now to restart Chrome without QUIC enabled.

Related information

Article appears in the following topics

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.

Sophos Footer