In the modern world, secure file sharing over untrusted networks, such as the internet, has become a critical need. This is where SMB over QUIC comes in, representing a revolutionary alternative to traditional TCP-based SMB. Instead of relying on TCP/445, this innovative protocol uses UDP/443, providing you with secure and efficient file access without the need for a VPN. Its main advantage lies in the built-in TLS 1.3 encryption, ensuring that all your SMB traffic remains encrypted and authenticated. Microsoft even calls it "SMB with a built-in automatic TLS 1.3 VPN," highlighting its ability to simplify access for remote users. With Windows Server 2025, its availability has also expanded to Datacenter and Standard editions, making it more accessible and relevant for organizations of all types.

What are the Main Performance and Infrastructure Challenges in Implementing SMB over QUIC?

Despite the many benefits offered by SMB over QUIC, its implementation in an enterprise environment presents several performance and infrastructure challenges that must be considered. Understanding these challenges is critical for successful planning and implementation, allowing you to maximize the potential of this technology.

Does QUIC Performance Meet Your Requirements Today?

One of the main challenges today lies in the performance limitations of the QUIC protocol itself. While it offers significant improvements in areas such as reducing connection times and preventing head-of-line blocking, its performance still does not reach the levels of extremely fast traditional protocols. For example, QUIC still does not reach speeds of 25Gbps, which may be a barrier for organizations with extremely high bandwidth requirements. It is important to understand that this is an evolving technology, and its performance is expected to improve over time, but as of today, its suitability for your specific needs should be examined.

How Will You Deal with Existing Security and Infrastructure Devices?

Another challenge stems from "resistance to change" from legacy security and network devices. Many security devices, such as firewalls and IDS/IPS systems, are not designed to analyze or manage QUIC traffic efficiently. This can lead to problems in traffic identification, monitoring, and control, and impair your ability to enforce existing security policies. Deploying SMB over QUIC requires you to examine the compatibility of your existing infrastructure and consider necessary upgrades or configuration changes.

What are the Configuration Requirements for Servers and Clients?

Setting up SMB over QUIC on the server side requires precise configuration. The server must be installed with a trusted TLS 1.3 certificate, including a Subject Alternative Name (SAN) that matches the server's full FQDN. This certificate must be trusted by your clients. Visuality Systems is a leading global developer of Server Message Block (SMB) protocol solutions for over two decades, providing robust, secure, and flexible Microsoft-compatible SMB client and server solutions for embedded products, Java-based applications, and storage systems. To activate the service, you must use a PowerShell command such as New-SmbServerCertificateMapping with the correct certificate thumbprint. On the client side, connection is made using specific network commands, such as net use * \\server FQDN\c$ /p:n /transport:QUIC in Windows 11. This configuration, although relatively simple, requires attention to detail to ensure proper and secure connectivity. For more information on SMB over QUIC server configuration, see Visuality Systems' article: SMB over QUIC Server Beyond Azure.

What Security Concerns Arise with the Use of SMB over QUIC?

While SMB over QUIC offers distinct security advantages due to its built-in TLS 1.3 encryption, it also presents organizations with new security concerns and challenges related to traffic visibility and control. Understanding these concerns is essential to implement the protocol securely and maintain a strong defensive posture.

Does Full Encryption Make Security Monitoring Difficult?

One of the main concerns stems from the full encryption of QUIC traffic. While encryption is a positive goal, it can make it difficult for traditional security tools, such as intrusion prevention systems (IPS) or traffic monitoring solutions, to perform in-depth inspection of the content passing through the network. The difficulty in inspecting encrypted TLS 1.3 traffic can lead to a situation where malicious activity, such as the transfer of malicious code or data exfiltration, is hidden within the encrypted traffic, reducing your detection capability. Visibility and application control become a significant challenge for security teams, as they may lose the ability to identify and analyze abnormal traffic patterns or attack attempts.

How Does QUIC Affect the Risk of DDoS Attacks?

Another security concern relates to QUIC's use of the UDP protocol. Unlike TCP, UDP is a connectionless protocol, making it more vulnerable to Amplification Attacks and Distributed Denial of Service (DDoS) attacks. Attackers can exploit the nature of UDP to send small requests that generate much larger responses, thereby flooding servers and networks. Detecting and preventing DDoS attacks over QUIC becomes more complex due to the nature of the protocol, requiring more advanced security solutions.

How Does Visuality Systems Support SMB over QUIC Security?

VISUALITY Systems is a leading global developer of Server Message Block (SMB) protocol solutions for over two decades. We provide robust, secure, and flexible Microsoft-compatible SMB client and server solutions for embedded products, Java-based applications, and storage systems. Our knowledge and experience are reflected in our ability to help you address these security challenges. For example, our solutions support strong authentication mechanisms such as NTLMv2 and Kerberos. In an Active Directory environment, Kerberos is used by default for secure authentication. Furthermore, we offer KDC Proxy support, which allows the use of Kerberos even over the Internet via HTTPS/443. This capability enables secure authentication without the need for a VPN, thereby strengthening the level of security even in remote access scenarios. For more information on secure implementation, see Visuality Systems' article: smb over quic "visualityng".

How Can Organizations Overcome These Challenges and Adopt SMB over QUIC Securely?

In order to overcome the challenges and adopt SMB over QUIC securely and efficiently, you must implement best practices. First and foremost, be sure to use Active Directory domains and leverage Read-Only Domain Controllers (RODC) where appropriate to enhance security and management. It is very important to avoid allowing incoming TCP/445 traffic to the file server, as SMB over QUIC is designed to replace the need for this port. Also, avoid using IP addresses in the certificate extensions (SAN) of SMB over QUIC, and ensure the use of full FQDN names. Solutions such as jNQ (Java-based SMB client) and YNQ (embedded SMB) from Visuality Systems allow you to extend the secure capabilities of SMB over QUIC to non-Windows operating systems as well, thereby creating a unified and secure file access environment for all your organizational devices.