UDP 443 becoming more prevelant

Reply
L1 Bithead

UDP 443 becoming more prevelant

Today I have discovered that the latest Facebook App for Apple IOS is using udp/443 for communication. This behavior seems similar to the Google Quic protocol. I also caught a glimpse of an article referencing the move to a http2/api WWW.

 

If this is going to be the direction the industry goes, does anyone know how long it takes Palo Alto to signature these applications?

 

What is the best way your organization has handled these new applications that traditionally are "sanctioned"? Right now on the current APP\Thread DB it is classified as unknown-udp

Tags (1)
L6 Presenter

Re: UDP 443 becoming more prevelant

Can you provide anymore reference documentation on this?

L1 Bithead

Re: UDP 443 becoming more prevelant

Brandon,

 

I dont have offical documentation. But it was what I have observed in our production environment within my organization.

 

What further documentation are you looking for?

L7 Applicator

Re: UDP 443 becoming more prevelant

@DShofkom33xif you want to control webtraffic then you should still follow the recommendation of PaloAlto and block 443/udp. So far I have not heard of any plans that this traffic can be decrypted or properly identified.

L1 Bithead

Re: UDP 443 becoming more prevelant

Google Quic protocol is already widely used for google chrome based applications

 

https://ma.ttias.be/googles-quic-protocol-moving-web-tcp-udp/

 

I observed today that traffic hitting the Palo Alto in our environment ,when using my iPhone 7 running 12.2 with the latest Facebook app, was udp/443

L6 Presenter

Re: UDP 443 becoming more prevelant


@DShofkom33x wrote:

Brandon,

 

I dont have offical documentation. But it was what I have observed in our production environment within my organization.

 

What further documentation are you looking for?


 

Something that says the vendors are coding for this...We don't allow QUIC in our environment and we haven't heard of any users (mobile platform or otherwise) complaining about service issues.

L3 Networker

Re: UDP 443 becoming more prevelant

Yes, you should be blocking QUIC as well as UDP 443.  Blocking Quic will retransmit over TCP and let the applications be identified properly.  This is what Palo recommends.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC

Highlighted
L0 Member

Re: UDP 443 becoming more prevelant

You mean something like this?

 

https://code.fb.com/android/building-zero-protocol-for-fast-secure-mobile-connections/

 

I also just started noticing this mobile facebook traffic as "unknown-udp" in my logs in the last week or two. Not sure if they flipped a switch or I just missed it previously (only a Palo customer for 3 months now and still getting the hang of things!).

 

It's a custom implementation based off of QUIC according to the documentation, and blocking all UDP/443 traffic seems like the wrong way to solve this issue.

L7 Applicator

Re: UDP 443 becoming more prevelant


@Plattinum wrote:

It's a custom implementation based off of QUIC according to the documentation, and blocking all UDP/443 traffic seems like the wrong way to solve this issue.


It depends on your needs. If you want to control and decrypt any connections then you need to force the traffic to a way that makes it possible. If you allow any connections to the internet then go ahead and allow 443/udp. Another possibility is you can write a custom application to at least detect the application.

 

If now every big player in the cloud starts to write their own protocol then it could be difficult (not impossible) for security vendors to support full control features for all of these.

 

You could also ask your SE to create a feature request so others can add their vodmtes to the FR because I think you are not the only one who thinks this would be a need feature.

L1 Bithead

Re: UDP 443 becoming more prevelant

Yeah I saw this article too. I think this is exactly it. It seems to be something FB has turned up recently. Even though the application should switch over to TCP the user experience on an enterprise network is much more painful, as you can imagine. If other applications are moving to this protocol, it would be nice to know how long it takes for Palo Alto to profile something that is widely used (i.e Facebook application).
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!