Shorewall 4.5.8 Beta 1 is now available for testing.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release includes the defect repair from Shorewall 4.5.7.1.
2) The restriction that TTL and HL rules could only be placed in the
FORWARD chain prevented these rules from being used to hide a router
from traceroute[6]. It is now allowed to place these rules in the
PREROUTING chain by following the specification with '':P''
(e.g.,
''TTL(+1):P'').
3) Previously, the macro.SNMP macro opened both UDP ports 161 and 162
from SOURCE to DEST. This is against the usual practice of opening
these ports in the opposite direction. Beginning with this release,
port 162 is opened in to SOURCE to DEST as before, while port 161
is opened from DEST to SOURCE.
4) Previously, when compiling for export, both
/etc/shorewall/shorewall[6].conf and the shorewall[6].conf in the
configuration directory were processed. Now, only the copy in the
configuration directory is processed.
5) Previously, when ADMINISABSENTMINDED=No in shorewall[6].conf, both
INPUT and OUTPUT rules were generated from entries in
/etc/shorewall[6]/routestopped that specified the ''source''
option. Now only the INPUT rule is generated.
6) The ''iptables_raw'' module has been added to the
modules.essential
file.
7) Previously, when SAVE_IPSETS=No in shorewall[6].conf, using an
ipset name in the HOSTS column of /etc/shorewall[6]/routestopped
generated this error:
ERROR: An ipset name (+test) is not allowed in this context
The error is no longer generated and the correct rule matching the
ipset is generated.
8) Several corrections have been made to the Fedora/Redhat init script
for Shorewall-init.
9) The <directory> parameter to the ''try'' command is
now documented in
the shorewall(8) and shorewall6(8) manpages.
10) Some redundant interface-option rules have been removed in
configurations with multiple zones configured on a single
interface.
11) Previously, when compiling for export, the compilation would fail
if the setting of SHAREDIR in the firewall''s shorewallrc was
different from the setting on the admin system. Such compilations
now succeed.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release attempts to alleviate the confustion that results
from different usage of the VARDIR name.
Beginning with Shorewall 4.5.2, ''VARDIR'' became a variable
in the
shorewallrc file with the default value ''/var/lib''. This
was at
odds with the usage of VARDIR in /etc/$product/vardir, where the
variable VARDIR holds the state directory for a particular product
(e.g., /var/lib/shorewall).
To eliminate this issue going forward, a VARLIB variable has been
added to shorewallrc to assume the role previously filled by
VARDIR while VARDIR now defaults to
''${VARDIR}/${PRODUCT}''.
When a pre-4.5.8 shorewallrc file is present, VARLIB is set to
${VARDIR} and VARDIR is set to ${VARLIB}/${PRODUCT}. If VARLIB is
set in the shorewallrc file and VARDIR is not, then VARDIR also
defaults to ${VARDIR}/${PRODUCT}.
2) A new ''stoppedrules'' file has been added and the
''routestopped file
is now deprecated. See stoppedrules(5) for details.
3) When the -e option is specified, the current working directory is
now included in the CONFIG_PATH.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> 3) When the -e option is specified, the current working directory is > now included in the CONFIG_PATH. >I take it this is across the board (all shorewall products). In other words, when I execute "$product <whatever_$product_operation_is_chosen> -e" this looks in the current directory, correct? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/3/12 12:53 PM, Mr Dash Four wrote:> >> 3) When the -e option is specified, the current working directory is >> now included in the CONFIG_PATH. >> > I take it this is across the board (all shorewall products). In other > words, when I execute "$product <whatever_$product_operation_is_chosen> > -e" this looks in the current directory, correct?This refers specifically to the shorewall and shorewall6 compile and check commands. I''ll make that clearer in the next revision. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> 1) This release attempts to alleviate the confustion that results > from different usage of the VARDIR name.Whenever ${VARLIB} is referenced, there appears to be an extra slash coming from somewhere, i.e. /var/lib//firewall (see below for details).> 2) A new ''stoppedrules'' file has been added and the ''routestopped file > is now deprecated. See stoppedrules(5) for details.1. Stock-supplied "stoppedrules" should be changed: Compiling /etc/shorewall/stoppedrules... ERROR: Invalid TARGET (FORMAT) /etc/shorewall/stoppedrules (line 12) This was executed as soon as shorewall was installed. 2. Either man page not appropriate or the stock-supplied stoppedrules format is wrong (I am assuming the man page is correct, so sticking to this format). Despite that: ############################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) ACCEPT $FW:+mickey-mouse-port[dst] +mickey-mouse-net tcp Produces nothing! Also, ipsets - is it supported (I am assuming that it is)? So: [root@test1 shorewall]# shorewall compile Compiling... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Compiling /usr/share/shorewall/action.Drop for chain Drop... Compiling /usr/share/shorewall/action.Reject for chain Reject... Compiling /etc/shorewall/policy... Running /etc/shorewall/initdone... Adding Anti-smurf Rules Compiling TCP Flags filtering... Compiling ARP Filtering... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling /etc/shorewall/tcdevices... Compiling /etc/shorewall/tcclasses... Compiling /etc/shorewall/tcfilters... Compiling /etc/shorewall/tcrules... Compiling /etc/shorewall/secmarks... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall/blrules... Compiling /etc/shorewall/rules... Compiling /etc/shorewall/conntrack... Compiling MAC Filtration -- Phase 2... Applying Policies... Generating Rule Matrix... Optimizing Ruleset... Creating iptables-restore input... Compiling /etc/shorewall/stoppedrules... Shorewall configuration compiled to /var/lib//firewall But, in the produced "/var/lib//firewall" (shouldn''t that be /var/lib/shorewall/firewall?) there aren''t any references to the above rule! Indeed when I execute shorewall stop, and then iptables -L -vn, nothing is there!> 3) When the -e option is specified, the current working directory is > now included in the CONFIG_PATH.[me@test1 dmz]$ shorewall compile -T -p -e Compiling... Processing /home/me/shorewall/dmz/params ... Processing /home/me/shorewall/dmz/shorewall.conf... WARNING: Your capabilities file is out of date -- it does not contain all of the capabilities defined by Shorewall version 4.5.8-Beta1 at /usr/share/perl5/Shorewall/Config.pm line 4015 Shorewall::Config::read_capabilities() called at /usr/share/perl5/Shorewall/Config.pm line 4079 Shorewall::Config::get_capabilities(1) called at /usr/share/perl5/Shorewall/Config.pm line 4319 Shorewall::Config::get_configuration(1, 0, 0) called at /usr/share/perl5/Shorewall/Compiler.pm line 624 Shorewall::Compiler::compiler(''script'', ''/var/lib//firewall'', ''directory'', ., ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at /usr/libexec/shorewall/compiler.pl line 134 ERROR: Directory /var/lib// is not writable at /usr/share/perl5/Shorewall/Config.pm line 1133 Shorewall::Config::fatal_error(''Directory /var/lib// is not writable'') called at /usr/share/perl5/Shorewall/Config.pm line 1517 Shorewall::Config::create_temp_script(''/var/lib//firewall'', 1) called at /usr/share/perl5/Shorewall/Compiler.pm line 630 Shorewall::Compiler::compiler(''script'', ''/var/lib//firewall'', ''directory'', ., ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at /usr/libexec/shorewall/compiler.pl line 134 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> But, in the produced "/var/lib//firewall" (shouldn''t that be /var/lib/shorewall/firewall?) there aren''t any references to the above rule! Indeed when I execute shorewall stop, and then iptables -L -vn, nothing is there!Further findings: 1. The (new) firewall file is definitely in /var/lib instead of /var/lib/shorewall, though the new file is executed when shorewall starts. Comparing the old firewall file (which is still in /var/lib/shorewall) with the new one, I am seeing this: @@ -2435,7 +2448,7 @@ g_basedir=/usr/share/shorewall CONFIG_PATH="/etc/shorewall:/usr/share/shorewall" [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir - [ -n "${VARDIR:=/var/lib/shorewall}" ] + [ -n "${VARDIR:=/var/lib/shorewall/shorewall}" ] I am not sure that''s right! ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> But, in the produced "/var/lib//firewall" (shouldn''t that be /var/lib/shorewall/firewall?) there aren''t any references to the above rule! Indeed when I execute shorewall stop, and then iptables -L -vn, nothing is there! > Further findings: > > 1. The (new) firewall file is definitely in /var/lib instead of /var/lib/shorewall, though the new file is executed when shorewall starts. Comparing the old firewall file (which is still in /var/lib/shorewall) with the new one, I am seeing this: > > @@ -2435,7 +2448,7 @@ > g_basedir=/usr/share/shorewall > CONFIG_PATH="/etc/shorewall:/usr/share/shorewall" > [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir > - [ -n "${VARDIR:=/var/lib/shorewall}" ] > + [ -n "${VARDIR:=/var/lib/shorewall/shorewall}" ] > > I am not sure that''s right!OK, some good news. It seems that when I execute "shorewall compile -T -p -e firewall" (i.e. compilation for a remote system while specifying the name of the destination file - "firewall" in this case) it is all flawless! I can see both the paths I specified in the (remote version of) shorewall.conf, as well as stoppedrules - they are all taken care of, though when both routestopped and stoppedrules are present, shorewall takes into account both files. I could also see that ipsets are supported in stoppedrules, so that''s also good. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/3/12 3:20 PM, Mr Dash Four wrote:>> 1) This release attempts to alleviate the confustion that results >> from different usage of the VARDIR name. > Whenever ${VARLIB} is referenced, there appears to be an extra slash coming from somewhere, i.e. /var/lib//firewall (see below for details). > >> 2) A new ''stoppedrules'' file has been added and the ''routestopped file >> is now deprecated. See stoppedrules(5) for details. > > 1. Stock-supplied "stoppedrules" should be changed: > Compiling /etc/shorewall/stoppedrules... > ERROR: Invalid TARGET (FORMAT) /etc/shorewall/stoppedrules (line 12) > > This was executed as soon as shorewall was installed.Remove the FORMAT line.> > 2. Either man page not appropriate or the stock-supplied stoppedrules format is wrong (I am assuming the man page is correct, so sticking to this format). Despite that: > > ############################################################################### > #TARGET SOURCE DEST PROTO DEST SOURCE > # PORT(S) PORT(S) > ACCEPT $FW:+mickey-mouse-port[dst] +mickey-mouse-net tcp > > Produces nothing! Also, ipsets - is it supported (I am assuming that it is)? So: > > [root@test1 shorewall]# shorewall compile > Compiling... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Compiling /etc/shorewall/zones... > Compiling /etc/shorewall/interfaces... > Determining Hosts in Zones... > Locating Action Files... > Compiling /usr/share/shorewall/action.Drop for chain Drop... > Compiling /usr/share/shorewall/action.Reject for chain Reject... > Compiling /etc/shorewall/policy... > Running /etc/shorewall/initdone... > Adding Anti-smurf Rules > Compiling TCP Flags filtering... > Compiling ARP Filtering... > Compiling Kernel Route Filtering... > Compiling Martian Logging... > Compiling /etc/shorewall/tcdevices... > Compiling /etc/shorewall/tcclasses... > Compiling /etc/shorewall/tcfilters... > Compiling /etc/shorewall/tcrules... > Compiling /etc/shorewall/secmarks... > Compiling MAC Filtration -- Phase 1... > Compiling /etc/shorewall/blrules... > Compiling /etc/shorewall/rules... > Compiling /etc/shorewall/conntrack... > Compiling MAC Filtration -- Phase 2... > Applying Policies... > Generating Rule Matrix... > Optimizing Ruleset... > Creating iptables-restore input... > Compiling /etc/shorewall/stoppedrules... > Shorewall configuration compiled to /var/lib//firewall > > But, in the produced "/var/lib//firewall" (shouldn''t that be /var/lib/shorewall/firewall?) there aren''t any references to the above rule! Indeed when I execute shorewall stop, and then iptables -L -vn, nothing is there! > >> 3) When the -e option is specified, the current working directory is >> now included in the CONFIG_PATH. > [me@test1 dmz]$ shorewall compile -T -p -e > Compiling... > Processing /home/me/shorewall/dmz/params ... > Processing /home/me/shorewall/dmz/shorewall.conf... > WARNING: Your capabilities file is out of date -- it does not contain all of the capabilities defined by Shorewall version 4.5.8-Beta1 at /usr/share/perl5/Shorewall/Config.pm line 4015 > Shorewall::Config::read_capabilities() called at /usr/share/perl5/Shorewall/Config.pm line 4079 > Shorewall::Config::get_capabilities(1) called at /usr/share/perl5/Shorewall/Config.pm line 4319 > Shorewall::Config::get_configuration(1, 0, 0) called at /usr/share/perl5/Shorewall/Compiler.pm line 624 > Shorewall::Compiler::compiler(''script'', ''/var/lib//firewall'', ''directory'', ., ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at /usr/libexec/shorewall/compiler.pl line 134 > ERROR: Directory /var/lib// is not writable at /usr/share/perl5/Shorewall/Config.pm line 1133 > Shorewall::Config::fatal_error(''Directory /var/lib// is not writable'') called at /usr/share/perl5/Shorewall/Config.pm line 1517 > Shorewall::Config::create_temp_script(''/var/lib//firewall'', 1) called at /usr/share/perl5/Shorewall/Compiler.pm line 630 > Shorewall::Compiler::compiler(''script'', ''/var/lib//firewall'', ''directory'', ., ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at /usr/libexec/shorewall/compiler.pl line 134 >I''m not seeing this issue. How did you install? Can I see the shorewallrc file you used to install? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Remove the FORMAT line.So I did.>>> 3) When the -e option is specified, the current working directory is >>> now included in the CONFIG_PATH. >> [me@test1 dmz]$ shorewall compile -T -p -e >> Compiling... >> Processing /home/me/shorewall/dmz/params ... >> Processing /home/me/shorewall/dmz/shorewall.conf... >> WARNING: Your capabilities file is out of date -- it does not contain all of the capabilities defined by Shorewall version 4.5.8-Beta1 at /usr/share/perl5/Shorewall/Config.pm line 4015 >> Shorewall::Config::read_capabilities() called at /usr/share/perl5/Shorewall/Config.pm line 4079 >> Shorewall::Config::get_capabilities(1) called at /usr/share/perl5/Shorewall/Config.pm line 4319 >> Shorewall::Config::get_configuration(1, 0, 0) called at /usr/share/perl5/Shorewall/Compiler.pm line 624 >> Shorewall::Compiler::compiler(''script'', ''/var/lib//firewall'', ''directory'', ., ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at /usr/libexec/shorewall/compiler.pl line 134 >> ERROR: Directory /var/lib// is not writable at /usr/share/perl5/Shorewall/Config.pm line 1133 >> Shorewall::Config::fatal_error(''Directory /var/lib// is not writable'') called at /usr/share/perl5/Shorewall/Config.pm line 1517 >> Shorewall::Config::create_temp_script(''/var/lib//firewall'', 1) called at /usr/share/perl5/Shorewall/Compiler.pm line 630 >> Shorewall::Compiler::compiler(''script'', ''/var/lib//firewall'', ''directory'', ., ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at /usr/libexec/shorewall/compiler.pl line 134 >> > > I''m not seeing this issue. How did you install? Can I see the > shorewallrc file you used to install?You mean how did I install shorewall? Compiled the sources with rpmbuild (Fedora''s own build tool), though I had to grab the rest of the Beta1 archives, because shorewall.spec builds the whole lot. After doing that I just executed "rpm -Uvh shorewall-core-* shorewall-4.5.8-*". As for my own shorewallrc file (I presume you are after the one for the remote system) - see attached. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/3/12 5:06 PM, Mr Dash Four wrote:>> Remove the FORMAT line. > So I did. > >>>> 3) When the -e option is specified, the current working directory is >>>> now included in the CONFIG_PATH. >>> [me@test1 dmz]$ shorewall compile -T -p -e >>> Compiling... >>> Processing /home/me/shorewall/dmz/params ... >>> Processing /home/me/shorewall/dmz/shorewall.conf... >>> WARNING: Your capabilities file is out of date -- it does not contain all of the capabilities defined by Shorewall version 4.5.8-Beta1 at /usr/share/perl5/Shorewall/Config.pm line 4015 >>> Shorewall::Config::read_capabilities() called at /usr/share/perl5/Shorewall/Config.pm line 4079 >>> Shorewall::Config::get_capabilities(1) called at /usr/share/perl5/Shorewall/Config.pm line 4319 >>> Shorewall::Config::get_configuration(1, 0, 0) called at /usr/share/perl5/Shorewall/Compiler.pm line 624 >>> Shorewall::Compiler::compiler(''script'', ''/var/lib//firewall'', ''directory'', ., ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at /usr/libexec/shorewall/compiler.pl line 134 >>> ERROR: Directory /var/lib// is not writable at /usr/share/perl5/Shorewall/Config.pm line 1133 >>> Shorewall::Config::fatal_error(''Directory /var/lib// is not writable'') called at /usr/share/perl5/Shorewall/Config.pm line 1517 >>> Shorewall::Config::create_temp_script(''/var/lib//firewall'', 1) called at /usr/share/perl5/Shorewall/Compiler.pm line 630 >>> Shorewall::Compiler::compiler(''script'', ''/var/lib//firewall'', ''directory'', ., ''verbosity'', 1, ''timestamp'', 0, ''debug'', ...) called at /usr/libexec/shorewall/compiler.pl line 134 >>> >> >> I''m not seeing this issue. How did you install? Can I see the >> shorewallrc file you used to install? > You mean how did I install shorewall? Compiled the sources with rpmbuild (Fedora''s own build tool), though I had to grab the rest of the Beta1 archives, because shorewall.spec builds the whole lot. After doing that I just executed "rpm -Uvh shorewall-core-* shorewall-4.5.8-*". >I suspect that the .spec file needs modification to compensate for the rearranged shorewallrc file. If you pass me a copy of shorewall.spec, I''ll take a look.> As for my own shorewallrc file (I presume you are after the one for theremote system) - see attached. The attached patch corrects a mingling of the two shorewallrc file contents. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/03/2012 08:13 PM, Tom Eastep wrote:> > I suspect that the .spec file needs modification to compensate for the > rearranged shorewallrc file. If you pass me a copy of shorewall.spec, > I''ll take a look. >Nevermind -- the SuSE RPM that I release has the same problem :-( -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/04/2012 07:09 AM, Tom Eastep wrote:> On 09/03/2012 08:13 PM, Tom Eastep wrote: > >> >> I suspect that the .spec file needs modification to compensate for the >> rearranged shorewallrc file. If you pass me a copy of shorewall.spec, >> I''ll take a look. >> > > Nevermind -- the SuSE RPM that I release has the same problem :-( >I''ve determined the problem and I''m building the corrected code now. After some testing, I''ll upload Beta 2. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/