UDP 443 becoming more prevelant

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

UDP 443 becoming more prevelant

Today I have discovered that the latest Facebook App for Apple IOS is using udp/443 for communication. This behavior seems similar to the Google Quic protocol. I also caught a glimpse of an article referencing the move to a http2/api WWW.

 

If this is going to be the direction the industry goes, does anyone know how long it takes Palo Alto to signature these applications?

 

What is the best way your organization has handled these new applications that traditionally are "sanctioned"? Right now on the current APP\Thread DB it is classified as unknown-udp

Tags (1)

Accepted Solutions
Highlighted
Cyber Elite

So it looks like the update on the 16th Content version 8153 has facebook-base as 443/UDP as default port.

 

443.PNG

View solution in original post


All Replies
Highlighted
Cyber Elite

Can you provide anymore reference documentation on this?

Highlighted
L2 Linker

Brandon,

 

I dont have offical documentation. But it was what I have observed in our production environment within my organization.

 

What further documentation are you looking for?

Highlighted
Cyber Elite

@DShofkom33xif you want to control webtraffic then you should still follow the recommendation of PaloAlto and block 443/udp. So far I have not heard of any plans that this traffic can be decrypted or properly identified.

Highlighted
L2 Linker

Google Quic protocol is already widely used for google chrome based applications

 

https://ma.ttias.be/googles-quic-protocol-moving-web-tcp-udp/

 

I observed today that traffic hitting the Palo Alto in our environment ,when using my iPhone 7 running 12.2 with the latest Facebook app, was udp/443

Highlighted
Cyber Elite


@DShofkom33x wrote:

Brandon,

 

I dont have offical documentation. But it was what I have observed in our production environment within my organization.

 

What further documentation are you looking for?


 

Something that says the vendors are coding for this...We don't allow QUIC in our environment and we haven't heard of any users (mobile platform or otherwise) complaining about service issues.

Highlighted
L3 Networker

Yes, you should be blocking QUIC as well as UDP 443.  Blocking Quic will retransmit over TCP and let the applications be identified properly.  This is what Palo recommends.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC

Highlighted
L0 Member

You mean something like this?

 

https://code.fb.com/android/building-zero-protocol-for-fast-secure-mobile-connections/

 

I also just started noticing this mobile facebook traffic as "unknown-udp" in my logs in the last week or two. Not sure if they flipped a switch or I just missed it previously (only a Palo customer for 3 months now and still getting the hang of things!).

 

It's a custom implementation based off of QUIC according to the documentation, and blocking all UDP/443 traffic seems like the wrong way to solve this issue.

Highlighted
Cyber Elite


@Plattinum wrote:

It's a custom implementation based off of QUIC according to the documentation, and blocking all UDP/443 traffic seems like the wrong way to solve this issue.


It depends on your needs. If you want to control and decrypt any connections then you need to force the traffic to a way that makes it possible. If you allow any connections to the internet then go ahead and allow 443/udp. Another possibility is you can write a custom application to at least detect the application.

 

If now every big player in the cloud starts to write their own protocol then it could be difficult (not impossible) for security vendors to support full control features for all of these.

 

You could also ask your SE to create a feature request so others can add their vodmtes to the FR because I think you are not the only one who thinks this would be a need feature.

Highlighted
L2 Linker

Yeah I saw this article too. I think this is exactly it. It seems to be something FB has turned up recently. Even though the application should switch over to TCP the user experience on an enterprise network is much more painful, as you can imagine. If other applications are moving to this protocol, it would be nice to know how long it takes for Palo Alto to profile something that is widely used (i.e Facebook application).
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!