UDP 443 becoming more prevelant

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

UDP 443 becoming more prevelant

L2 Linker

Today I have discovered that the latest Facebook App for Apple IOS is using udp/443 for communication. This behavior seems similar to the Google Quic protocol. I also caught a glimpse of an article referencing the move to a http2/api WWW.

 

If this is going to be the direction the industry goes, does anyone know how long it takes Palo Alto to signature these applications?

 

What is the best way your organization has handled these new applications that traditionally are "sanctioned"? Right now on the current APP\Thread DB it is classified as unknown-udp

1 accepted solution

Accepted Solutions

So it looks like the update on the 16th Content version 8153 has facebook-base as 443/UDP as default port.

 

443.PNG

View solution in original post

16 REPLIES 16

L6 Presenter

Can you provide anymore reference documentation on this?

Brandon,

 

I dont have offical documentation. But it was what I have observed in our production environment within my organization.

 

What further documentation are you looking for?

@DShofkom33xif you want to control webtraffic then you should still follow the recommendation of PaloAlto and block 443/udp. So far I have not heard of any plans that this traffic can be decrypted or properly identified.

Google Quic protocol is already widely used for google chrome based applications

 

https://ma.ttias.be/googles-quic-protocol-moving-web-tcp-udp/

 

I observed today that traffic hitting the Palo Alto in our environment ,when using my iPhone 7 running 12.2 with the latest Facebook app, was udp/443


@DShofkom33x wrote:

Brandon,

 

I dont have offical documentation. But it was what I have observed in our production environment within my organization.

 

What further documentation are you looking for?


 

Something that says the vendors are coding for this...We don't allow QUIC in our environment and we haven't heard of any users (mobile platform or otherwise) complaining about service issues.

Yes, you should be blocking QUIC as well as UDP 443.  Blocking Quic will retransmit over TCP and let the applications be identified properly.  This is what Palo recommends.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC

You mean something like this?

 

https://code.fb.com/android/building-zero-protocol-for-fast-secure-mobile-connections/

 

I also just started noticing this mobile facebook traffic as "unknown-udp" in my logs in the last week or two. Not sure if they flipped a switch or I just missed it previously (only a Palo customer for 3 months now and still getting the hang of things!).

 

It's a custom implementation based off of QUIC according to the documentation, and blocking all UDP/443 traffic seems like the wrong way to solve this issue.


@Plattinum wrote:

It's a custom implementation based off of QUIC according to the documentation, and blocking all UDP/443 traffic seems like the wrong way to solve this issue.


It depends on your needs. If you want to control and decrypt any connections then you need to force the traffic to a way that makes it possible. If you allow any connections to the internet then go ahead and allow 443/udp. Another possibility is you can write a custom application to at least detect the application.

 

If now every big player in the cloud starts to write their own protocol then it could be difficult (not impossible) for security vendors to support full control features for all of these.

 

You could also ask your SE to create a feature request so others can add their vodmtes to the FR because I think you are not the only one who thinks this would be a need feature.

Yeah I saw this article too. I think this is exactly it. It seems to be something FB has turned up recently. Even though the application should switch over to TCP the user experience on an enterprise network is much more painful, as you can imagine. If other applications are moving to this protocol, it would be nice to know how long it takes for Palo Alto to profile something that is widely used (i.e Facebook application).


@DShofkom33x wrote:
Yeah I saw this article too. I think this is exactly it. It seems to be something FB has turned up recently. Even though the application should switch over to TCP the user experience on an enterprise network is much more painful, as you can imagine. If other applications are moving to this protocol, it would be nice to know how long it takes for Palo Alto to profile something that is widely used (i.e Facebook application).

 

I think your last question has already been answered from Palo documentation...They don't support it.  Their documentation says to block QUIC and allow the traffic to naturally use other native TCP protocols/applications. (Yes 'double' protocol used for clarity.)

So it looks like the update on the 16th Content version 8153 has facebook-base as 443/UDP as default port.

 

443.PNG

I understand it's recommended to block (and we did) but the user experience is horrible. I hope this isn't the new norm for these type of applications.

On our network of >30k devices, we have not had one single complaint after blocking QUIC a couple years ago.  What kind of horrible user experience are you running into? @DShofkom33x 


@OGMaverick wrote:

On our network of >30k devices, we have not had one single complaint after blocking QUIC a couple years ago.  What kind of horrible user experience are you running into? @DShofkom33x 


 

Yeah QUIC has always been blocked for us as well and we have had no issues regarding impact to user performance either.

  • 1 accepted solution
  • 36109 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!