This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

QUIC: https on udp

My mind was just blown looking into curious traffic coming from my Android phone.  I'm seeing my UTM blocking port 443 UDP traffic.  That's odd, I wasn't aware there was such a thing.  Looking into it, the developers over at Google have been working on a high-speed web protocol that works on udp.  They are calling in QUIC.

 

What does this mean for network administrators?  The need to create rules addressing applications that use QUIC.

What about Sophos?  Perhaps the need to add support for QUIC in all of it's HTTP proxy and filtering sub-systems. 

 

09:07:19 Default DROP UDP  
10.1.3.1 : 38511
31.13.70.1 : 443
 
len=1263

 A challenge supporting this protocol is that standard proxies won't work.   UDP is a shoot-and-forget-it protocol so there is no connection.  The challenge here is that returning packets don't have a connection to traverse, they just have an ip address of the internet router.  Without port-forwarding rules, the packet won't reach the correct destination and this is no solution either as such rules only support one device per network.  This looks to be a horrible idea, but Google has rolled it out anyway.  I'm seeing it on the TuneIn streaming App for Android.  It's not clear if the challenges can be adequately managed.

 

More info here:  ma.ttias.be/.../



This thread was automatically locked due to age.
Parents
  • Yes, you want to block UDP 443 at the firewall.

    When Chrome detects a QUIC-capable server, it attempts to connect in this order.  I do not know how it identifies QUIC-enabled systems.

    1. Proxy settings (Standard Mode) with UDP 443
      By default, standard mode will block UDP 443, because it blocks all non-standard ports.   If you add UDP 443 to the Target Services list, the traffic will be allowed but will not be filtered.  So the process will proceed to step 2

    2. No proxy (transparent Mode) with UDP 443
      The Transparent Mode proxy does not intercept UDP 443, so the traffic will be handled by Firewall Rules.   If it is allowed, it will be unfiltered.   If it is blocked, the browser will connect using #3 or #4, and it will be filtered.

    3. Proxy Settings with TCP 443

    4. No proxy with TCP 443

    Chrome behaves perfectly well with UDP 443 blocked.   For our purposes, QUIC is a proxy-evasion tool which should not be ignored.

  • Doug, what leads you to believe that when QUIC is added to 'Allowed Target Services', the traffic is not decrypted?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • This is based on information I was given by Michael Dunn.   Not sure it was in the forum or in a private message exchange.

Reply Children
No Data