How to Block QUIC Protocol

by vsathiamoo on ‎10-20-2016 08:46 AM - edited on ‎11-03-2016 06:38 AM by (29,164 Views)

What is QUIC?

 

QUIC (Quick UDP Internet Connections, pronounced quick) is an experimental transport layer network protocol developed by Google. QUIC supports a set of multiplexed connections between two endpoints over User Datagram Protocol (UDP), and was designed to provide security protection equivalent to TLS/SSL, along with reduced connection and transport latency, and bandwidth estimation in each direction to avoid congestion. QUIC's main goal is to optimize connection-oriented web applications currently using TCP. An experimental implementation is being put in place in Chrome by a team of engineers at Google.

 

What happens if QUIC is not blocked?

 

Chrome browsers have the QUIC protocol enabled by default. When users try to access Google applications using the Chrome browser, a session to a Google server is established using the QUIC protocol instead of TLS/SSL. QUIC is an experimental protocol at its early stages of development, and it uses proprietery encryption methods. If security policy is in place to whitelist QUIC App-ID, and if the user uses Google chrome browser to access Google applications, all those sessions will be identified as QUIC application by the Palo Alto Networks firewall's App-ID engine. Visibility and Control of Google applications is lost with whitelisting the QUIC App-ID.

 

Our recommendations:

 

Palo Alto Networks recommends creating a security policy in the firewall to block the QUIC application. With the QUIC traffic getting blocked by the Firewall, the Chrome browser will fall back to using traditional TLS/SSL. Note that this will not cause the user to lose any functionality on their browser. Firewall gains better visibility and control of Google applications with or without the SSL decryption enabled. 

 

Security policy that denies QUIC App:

Security_policy.png

 

With the most recent version of the browser Chrome, Google updated their experimental protocol QUIC, which caused the "quic" App-ID to be misidentified as "unknown-udp". Palo Alto Networks released additional coverage for the "quic" App-ID to include the changes made by Google. With Google making changes to their protocol, we recommend creating additional security policy to block QUIC UDP traffic (UDP/443 and UDP/80).

 

QUIC_UDP.png

 

Security_policy.png

 

Comments
by Meagan
on ‎04-20-2017 03:54 PM

This was very helpful, thank you.  We had a requirement to block gmail and were perplexed why it did not work for all users.  When I checked the traffic monitor I found quic and that brought me here.  Great explanation.  We now block quic.

by NileG
on ‎10-04-2017 01:16 PM

Ideally you want to also block it in the Chrome browser. This garbage took down our pipe a few times until we dealt with it.

by onedrum
on ‎12-06-2017 11:41 AM

I had lots of negative side effects when adding a rule that blocks UDP to ports 80 or 443 as described.  I suppose I could have done it wrong, but not only did Chrome simply not load some sites (rather than falling back to non-QUIC) but things like the Pandora application, for example, ended up with connection errors.  

 

Are we sure that Google/QUIC is the only thing being affected by this rule?  It would seem that udp/80 and udp/443 may be a little too broad.  At least that was my experience.

 

A lot changes in a year since this article was written, too, so that could be the explanation. 

by rossghanim
a week ago

I went to Network > Statistics > QoS Statistics and I saw the Quic with 61 Sessions and one user with 149 Sessions.  What thats meand the more sessions is bad or how you read this report.  Any one can explain this to me please?

 

Ignite 2018
Ask Questions Get Answers Join the Live Community
Contributors