Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Network Security / What is QUIC – This new Google Protocol makes Firewalls Blind

What is QUIC – This new Google Protocol makes Firewalls Blind

Written By Harris Andrea

QUIC (Quick UDP Internet Connections) is a new generation Internet protocol that speeds online web applications that are susceptible to delay, such as searching, video streaming etc., by reducing the round-trip time (RTT) needed to connect to a server.

the QUIC protocol

By replacing TCP with UDP and encrypting most of its payload, QUIC reduces the time it takes to start viewing the content two to three times, while maintaining data security.

Although all these sound great, the proprietary encryption used in QUIC protocol causes headaches to security administrators who want to enforce application restrictions on their next-generation firewalls (more on this below).

QUIC was developed by Google (runs on Chrome & Opera) and was designed to compensate for HTTP/2 deficiencies, providing robust and strong encryption and reducing server / client handshake and packet loss. Currently more than 42% of Google’s traffic is using the QUIC protocol.

These are the most important technical features of QUIC:

  • Exchange packets in steps to reduce data loss.
  • Integrated congestion control mechanism.
  • UDP Transport to avoid TCP head-of-line blocking.
  • High security, similar to Transport Layer Service (TLS). QUIC is always encrypted and authenticated.
  • Fix packet errors thus reducing retransmissions and delays (using FEC – Forward Error Correction).
  • Link ID to reduce re-connections to mobile customers.
  • Fast (0-RTT) connectivity similar to TLS Snapstart in conjunction with TCP Fast Open.
MORE READING:  What is Cisco Identity Services Engine (ISE)? Use Cases, How it is Used etc

Chrome browsers have QUIC enabled by default and also by accessing a Google server (such as Youtube) the session is established using QUIC instead of the traditional TLS. Tests have shown that there is a 30% improvement in retransmissions on Google applications (such as Youtube) using QUIC.

In terms of network ports, QUIC uses UDP port 443 instead of TCP 443 which is used by traditional HTTPs (TLS).

Table of Contents

  • Quick Tip
  • QUIC Encryption causes problems in application visibility and control
  • How to block Google Applications on your firewall
  • Related Posts

Quick Tip

If you want to check that your Chrome browser and network connection uses QUIC, do the following:

  1. Type the following on your Chrome URL toolbar: chrome://net-internals/#quic
  2. Open a second browser tab and browse to youtube. The first tab will start capturing packets and show the QUIC live packets that are transferred to youtube.

QUIC Encryption causes problems in application visibility and control

Because QUIC uses proprietary encryption equivalent to TLS (this will change in the future with a standardized version), 3rd generation firewalls that provide application control and visibility have a hard time now to control and restrict Google applications (such as Gmail, Youtube etc). There are some firewall vendors that suggest to block QUIC in order to gain back the required visibility and control to Google apps.

MORE READING:  KRACK WiFi Vulnerability - WPA2 has been breached

How to block Google Applications on your firewall

Cisco and Palo Alto for example recommend administrators to block UDP port 443 on the firewalls in order to force Chrome browsers to fall-back to regular TCP 443 connections instead of QUIC. Connectivity of the users will not be lost since the browser will silently fall-back to TLS (TCP443).

Therefore, if you want to block some Google applications on your next generation firewall (such as Youtube, Gmail etc) you will need to block UDP443 in order to block QUIC. Otherwise, the proprietary encryption used with QUIC will not allow the firewall to correctly identify Google applications and restrict them if needed.

Related Posts

  • How to Scan an IP Network Range with NMAP (and Zenmap)
  • What is Cisco Identity Services Engine (ISE)? Use Cases, How it is Used etc
  • What is Cisco Umbrella Security Service? Discussion – Use Cases – Features
  • 7 Types of Firewalls Technologies (Software/Hardware) Explained
  • 10 Best Hardware Firewalls for Home and Small Business Networks

Filed Under: Network Security

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. sabin says

    April 16, 2018 at 8:05 pm

    Great information!!! Thank you!

  2. Harris Andrea says

    April 17, 2018 at 4:21 am

    Thanks Sabin,

    I’m glad you liked my article.

  3. Imran says

    April 17, 2018 at 5:22 am

    Great article

  4. AD Garcia says

    April 17, 2018 at 7:14 am

    This is very important information.
    Thank you so much.

  5. Imran says

    April 17, 2018 at 7:18 am

    Nice article

  6. Nikul says

    April 17, 2018 at 11:38 am

    Good know about QUIC. Keep sharing man !! Thank you so much.

  7. Harris Andrea says

    April 17, 2018 at 1:21 pm

    I’m glad you guys liked it.

    Thanks

  8. Manoj says

    April 9, 2019 at 5:30 am

    Very nicely explained. Liked it!!

  9. Harris Andrea says

    April 9, 2019 at 5:53 am

    Thanks Manoj for your comment. I’m glad you liked my article about QUIC

  10. wew says

    July 1, 2020 at 6:39 pm

    https://datatracker.ietf.org/wg/quic/documents/
    QUIC encryption will not be proprietary…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

155 shares