07-25-2022 12:57 AM
It seems like QUIC is going to become main stream, Its not just this linked video, I am seeing QUIC related stuff increasingly now. As per docs I see even for 10.2 its advised to block udp 80/443 and block QUIC. I would guess Palo Alto bringing QUIC decryption feature soon to their products, may be by end of this year? 🤞
https://www.youtube.com/watch?v=cdb7M37o9sU
07-25-2022 02:29 PM
I haven't come across any sites that utilize QUIC yet that won't fallback to working over traditional TLS when QUIC is blocked. Unless it's changed QUIC utilizes proprietary encryption, so I don't think decryption is something that PAN would be able to add unless Google has/decides to open that encryption up. I'd love to be wrong about the encryption though, because it is becoming more heavily utilized (Microsoft is also doing SMB over QUIC now as well).
Personal Take: I think we'll shortly run into a situation where network security from a decryption aspect needs to move to a host based agent. Since decryption is essentially a MiTM attack against your own assets (well, hopefully your own assets) it's also by nature something that you don't really want to make easy to accomplish. Either this moves to a host based agent, or Google/Apple/Microsoft will need to make some kind of exception process for enterprise endpoints. I personally think a host based agent is more likely.
07-25-2022 02:58 PM
@BPry QUIC used to be Google's toy but its now open standard and the linked video also mentions its a different protocol than what Google had initially developed. Also the big 5 Google, Facebook, Amazon, Apple and Microsoft are putting their support behind it and not just for web as you mention, SMB over QUIC and SSH over QUIC are out there. Fallback to TCP is there for now but ultimately if the big 5 are putting their power behind it, it covers more than half of the regular traffic. I agree decryption is MITM, but is a necessary evil. Also host based solution is good for managed devices for outbound decryption but not for inbound decryption. Wouldn't it be better if PA has a SSL Bridging/Offload feature like F5 for inbound traffic. Thanks
02-25-2024 03:59 AM
PLEASE explain your sources>
Note: Is it plausible to create a new Application type in the system "SMB-over-Quic" and have the palo recognize that the traffic IS SMB and that it is Sent via Quic flow and that it should be inspected ? I'm really happy to hear a "yes" on this question. But I'd be more happy to see a specific KB article that explicitly confirms that theory and shows how to define the new application in a way that will ensure it's ACTALLY matched in functional use.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
