We'd love to hear about it! Click here to go to the product suggestion community
My mind was just blown looking into curious traffic coming from my Android phone. I'm seeing my UTM blocking port 443 UDP traffic. That's odd, I wasn't aware there was such a thing. Looking into it, the developers over at Google have been working on a high-speed web protocol that works on udp. They are calling in QUIC.
What does this mean for network administrators? The need to create rules addressing applications that use QUIC.
What about Sophos? Perhaps the need to add support for QUIC in all of it's HTTP proxy and filtering sub-systems.
A challenge supporting this protocol is that standard proxies won't work. UDP is a shoot-and-forget-it protocol so there is no connection. The challenge here is that returning packets don't have a connection to traverse, they just have an ip address of the internet router. Without port-forwarding rules, the packet won't reach the correct destination and this is no solution either as such rules only support one device per network. This looks to be a horrible idea, but Google has rolled it out anyway. I'm seeing it on the TuneIn streaming App for Android. It's not clear if the challenges can be adequately managed.
More info here: ma.ttias.be/.../
Yes, you want to block UDP 443 at the firewall.
When Chrome detects a QUIC-capable server, it attempts to connect in this order. I do not know how it identifies QUIC-enabled systems.
Chrome behaves perfectly well with UDP 443 blocked. For our purposes, QUIC is a proxy-evasion tool which should not be ignored.
In reply to DouglasFoster:
Agreed. HAve been blocking since I first saw the logs and reports of unrestricted chromebook usage.
udp/443 = QUIC, and I think that fow control view can recognize QUIC and shape/throttle it, but don't quote me on that.
QUIC can be disabled via GPO, at least for the Chrome Version for Windows I used this.
Computer Config > Admin Templates > Policies > Google > Allows QUIC Protocol
Doug, what leads you to believe that when QUIC is added to 'Allowed Target Services', the traffic is not decrypted?
Cheers - Bob
In reply to BAlfson:
This is based on information I was given by Michael Dunn. Not sure it was in the forum or in a private message exchange.