Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Circle: Good instead of evil
SECURITY SHELF

Circle: Good instead of evil 

There are several ways to filter Internet access. Most firewalls providing filtering based on IP address and port combinations. However, when it comes to HTTP and HTTPS, it is increasingly difficult for firewalls to make intelligent decisions unless they are advanced enough to also monitor DNS queries and dynamically adapt rules.

As a result, most corporations with filtering requirements use an HTTP proxy. Instead of connecting directly to the destination server, browsers (and other HTTP clients) request the resource from the proxy, which in turn forwards the request to the destination. This enables filtering, but creates a security vs. privacy dilemma. Filtering may improve security, but HTTPS interception may lead to the exposure of confidential business and personal information.

Another approach is to implement filtering at the DNS layer. OpenDNS, recently acquired by Cisco, provides this service. Customers send all of their DNS queries to OpenDNS, which applies customer-selected filters. This allows most businesses and consumers to implement basic anti-malware, anti-phishing, and web content filtering for all devices. However, it does not enable applying filters on a per-user basis.

Products marketed to parents usually involve installing software on individual devices. This worked well for the “family computer,” but today children and teens have PCs, phones, tablets, game consoles, smart TVs, and a variety of other wifi-capable devices. Installing software on many of them is not possible, and ISP-supplied modem-router combinations complicate deploying proxies and firewalls in the residential space.

Circle’s claim to fame is that it just needs to be connected to the network by WiFi or Ethernet. According to the company, some router compatibility issues exist, and consumers occasionally need to make minor configuration changes.

I will admit being highly skeptical. Apparently I was not the only one. Circle’s initial funding attempt on KickStarter failed, but to many people’s surprise Disney came to the rescue. Despite the Circle with Disney branding, there is nothing “Mickey Mouse” about this product.

Circle uses ARP spoofing to convince every device on the network to send packets to it instead of to the default router. That enables the product to intercept all outbound Internet traffic; inbound traffic is unaffected. Speed tests on a fast Internet service that usually measures approximately 850Mbps down and 50Mbps up indicated no noticeable performance impact. The product also performed as advertised in an environment with multiple wireless access points configured with the same SSID.

From a consumer’s perspective, Circle provides unprecedented ease of installation. An iOS or Android device is required to configure and administer the device on an ongoing basis. Once installed, Circle displays a list of all devices on the network, including the MAC address and manufacturer. Where available, the name of the device is also displayed.

By default, each newly discovered device is assigned to “Home,” where it is subject to the default rules for the network. The device can also be assigned to “Unmanaged Devices,” in which case no filtering is applied. This is particularly useful for printers, NAS, or other devices that should be allowed unfettered access to the network. But the real power of Circle, especially for parents, is assigning devices to individual user profiles.

Circle allows the creation of individual user profiles, including an optional photo. Each profile includes sophisticated time limits and filter settings. At the least granular level, each user can be be given a cumulative Internet time limit across all their assigned devices. More granular time limits can be set for specific services, such as YouTube, and larger categories of applications such as online games. A daily bedtime, as well as a second “Off Time” period can be configured. The Internet can also be “paused” immediately from the administrator’s phone.

Filters are arranged in a hierarchical structure. To begin, one of five filter levels is selected: pre-kindergarten, kid, teen, adult, or none. Depending on the initial filter level selected, Circle displays a long list of platforms including services such as Amazon, FaceTime, Facebook, Netflix, Snapchat, and YouTube. Each platform can be set to “allowed”, “not allowed”, or “unmanaged.” Next, the application lists broad categories. Custom filters can be specified on a per-domain or IP address basis.

Reporting capabilities rival those provided by many commercial firewalls and web proxies. In addition a viewing a list of visited sites that can be instantly managed to add a custom filter, Circle tracks the time spent on various platforms and categories and displays them on a daily, weekly, or monthly basis.

Have a security question you’d like answered in a future column? Eric would love to hear from you.

Related posts