Apparently being blocked by Cisco firewall?

Tacosarabes a posé une question...

My brother can not access his RiseUp account from where he works. He can access other "encrypted" services just fine (like Google) but it appears that the company's firewall is specifically blocking RiseUp's servers/IPs.

This is the firewall that they use where he works:

http://www.cisco.com/c/en/us/support/security/asa-5512-x-adaptive-security-appliance/model.html

On that page it says that as of 2005 the 5500 series firewalls had deep packet inspection, or in this particular case it does protocol analysis:

http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2996-000007e9

Scroll down to the section "Application Inspection Features" and you can see the subsection "Advanced HTTP Inspection Engine" which describes the deep inspection of packets sent using the HTTP protocol, and where it clearly states "In addition, this new HTTP inspection engine allows administrative control over instant messaging applications, peer-to-peer file sharing applications, and applications that attempt to tunnel over port 80 or any port used for HTTP transactions." You can also see how it allows protocol analysis of many other protocols, including FTP and SIP.

Furthermore, we have also noticed that it appears to somehow "block" any attempt to make an OTR handshake, even though it allows unencrypted chat over the same protocol and port, just fine... conspiracy against "questionable" encryption? against RiseUp specifically? against OTR specifically?

Can anyone please provide your opinion as to what is going on here??

Thanks in advance for any response of value!

Vote | 0
Avatar
Roadrunner a répondu...

Hi,

We don't know if this is an "adaptive" think or if cisco has us on some sort of block list.

He could possibly try using one of the riseup vpn's to tunnel the traffic past the DPI, but they might be blocking that too.

Good luck! Let us know if you find anything else out about the issue.

Vote | 0