topic Re: UDP 443 becoming more prevelant in General Topics

UDP 443 becoming more prevelant

DShofkom33x — Wed, 24 Apr 2019 15:58:37 GMT

Today I have discovered that the latest Facebook App for Apple IOS is using udp/443 for communication. This behavior seems similar to the Google Quic protocol. I also caught a glimpse of an article referencing the move to a http2/api WWW.

If this is going to be the direction the industry goes, does anyone know how long it takes Palo Alto to signature these applications?

What is the best way your organization has handled these new applications that traditionally are "sanctioned"? Right now on the current APP\Thread DB it is classified as unknown-udp

Re: UDP 443 becoming more prevelant

Brandon_Wertz — Wed, 24 Apr 2019 17:48:56 GMT

Can you provide anymore reference documentation on this?

Re: UDP 443 becoming more prevelant

DShofkom33x — Wed, 24 Apr 2019 19:44:39 GMT

Brandon,

I dont have offical documentation. But it was what I have observed in our production environment within my organization.

What further documentation are you looking for?

Re: UDP 443 becoming more prevelant

Remo — Wed, 24 Apr 2019 19:50:23 GMT

@DShofkom33xif you want to control webtraffic then you should still follow the recommendation of PaloAlto and block 443/udp. So far I have not heard of any plans that this traffic can be decrypted or properly identified.

Re: UDP 443 becoming more prevelant

DShofkom33x — Wed, 24 Apr 2019 20:03:28 GMT

Google Quic protocol is already widely used for google chrome based applications

https://ma.ttias.be/googles-quic-protocol-moving-web-tcp-udp/

I observed today that traffic hitting the Palo Alto in our environment ,when using my iPhone 7 running 12.2 with the latest Facebook app, was udp/443

Re: UDP 443 becoming more prevelant

Brandon_Wertz — Wed, 24 Apr 2019 20:07:58 GMT

@DShofkom33x wrote:
Brandon,

I dont have offical documentation. But it was what I have observed in our production environment within my organization.

What further documentation are you looking for?

Something that says the vendors are coding for this...We don't allow QUIC in our environment and we haven't heard of any users (mobile platform or otherwise) complaining about service issues.

Re: UDP 443 becoming more prevelant

OGMaverick — Fri, 26 Apr 2019 16:34:10 GMT

Yes, you should be blocking QUIC as well as UDP 443. Blocking Quic will retransmit over TCP and let the applications be identified properly. This is what Palo recommends.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC

Re: UDP 443 becoming more prevelant

Plattinum — Mon, 29 Apr 2019 19:02:25 GMT

You mean something like this?

https://code.fb.com/android/building-zero-protocol-for-fast-secure-mobile-connections/

I also just started noticing this mobile facebook traffic as "unknown-udp" in my logs in the last week or two. Not sure if they flipped a switch or I just missed it previously (only a Palo customer for 3 months now and still getting the hang of things!).

It's a custom implementation based off of QUIC according to the documentation, and blocking all UDP/443 traffic seems like the wrong way to solve this issue.

Re: UDP 443 becoming more prevelant

Remo — Mon, 29 Apr 2019 19:23:44 GMT

@Plattinum wrote:
It's a custom implementation based off of QUIC according to the documentation, and blocking all UDP/443 traffic seems like the wrong way to solve this issue.

It depends on your needs. If you want to control and decrypt any connections then you need to force the traffic to a way that makes it possible. If you allow any connections to the internet then go ahead and allow 443/udp. Another possibility is you can write a custom application to at least detect the application.

If now every big player in the cloud starts to write their own protocol then it could be difficult (not impossible) for security vendors to support full control features for all of these.

You could also ask your SE to create a feature request so others can add their vodmtes to the FR because I think you are not the only one who thinks this would be a need feature.

Re: UDP 443 becoming more prevelant

DShofkom33x — Mon, 29 Apr 2019 20:51:19 GMT

Yeah I saw this article too. I think this is exactly it. It seems to be something FB has turned up recently. Even though the application should switch over to TCP the user experience on an enterprise network is much more painful, as you can imagine. If other applications are moving to this protocol, it would be nice to know how long it takes for Palo Alto to profile something that is widely used (i.e Facebook application).

Re: UDP 443 becoming more prevelant

Brandon_Wertz — Tue, 30 Apr 2019 12:30:38 GMT

@DShofkom33x wrote:
Yeah I saw this article too. I think this is exactly it. It seems to be something FB has turned up recently. Even though the application should switch over to TCP the user experience on an enterprise network is much more painful, as you can imagine. If other applications are moving to this protocol, it would be nice to know how long it takes for Palo Alto to profile something that is widely used (i.e Facebook application).

I think your last question has already been answered from Palo documentation...They don't support it. Their documentation says to block QUIC and allow the traffic to naturally use other native TCP protocols/applications. (Yes 'double' protocol used for clarity.)

Re: UDP 443 becoming more prevelant

Brandon_Wertz — Mon, 20 May 2019 16:04:45 GMT

So it looks like the update on the 16th Content version 8153 has facebook-base as 443/UDP as default port.

Re: UDP 443 becoming more prevelant

DShofkom33x — Mon, 20 May 2019 16:58:43 GMT

I understand it's recommended to block (and we did) but the user experience is horrible. I hope this isn't the new norm for these type of applications.

Re: UDP 443 becoming more prevelant

OGMaverick — Mon, 20 May 2019 17:00:17 GMT

On our network of >30k devices, we have not had one single complaint after blocking QUIC a couple years ago. What kind of horrible user experience are you running into? @DShofkom33x

Re: UDP 443 becoming more prevelant

Brandon_Wertz — Mon, 20 May 2019 17:02:08 GMT

@OGMaverick wrote:
On our network of >30k devices, we have not had one single complaint after blocking QUIC a couple years ago. What kind of horrible user experience are you running into? @DShofkom33x

Yeah QUIC has always been blocked for us as well and we have had no issues regarding impact to user performance either.

Re: UDP 443 becoming more prevelant

BPry — Mon, 20 May 2019 20:32:52 GMT

Just going to throw in with the last few comments; I have udp/443 blocked across every network I manage and nobody has ever noticed it wasn't working, let alone brought up any user experiance issues.

Re: UDP 443 becoming more prevelant

Remo — Wed, 22 May 2019 17:04:33 GMT

Same here ... 443/udp blocked outgoing ... 0 problems and 0 users complaining about a bad user experiance