Transport+Layer+Risks+and+Prevention


 * Transport Layer Attacks **

When it comes to firewall configuration, system administrators should be aware of the various types of transport layer attacks. The attacks that are performed at the transport layer are mostly done through the TCP and UDP protocols. The most common types of attacks that are done on the transport layer are as follows:


 *  **Port Scan Attack:** This form of attack is an attack used to gather information about a host that can reveal which ports are open and what protocol the port is open on. Although it is not considered a direct attack that will gain entry onto a network, it is usually the first operation that an attacker uses.


 *  **TCP “SYN” Attack:** This form of attack is known as a “SYN” flood attack, which is usually associated with a Denial of Service (DoS) attack. These attacks are done by creating a huge quantity of SYN packets from fake IP addresses which are then sent to a legitimate server. The end result (and goal) of doing SYN flood attacks is to make the target machine crash, this type of attack falls into the definition of connection resource exhaustion.


 *  **Man-In-The-Middle Attack:** This attack is done by monitoring network traffic on the transport layer between a server and a client. Once monitored, an attacker can pick up packets that are sent back and forth which can be used to impersonate a server or the client when authentication is taking place.


 * Transport Layer Defense **

It should be noted that all of the attacks that are done at the transport layer can be countered in a variety of ways. This section will explain how to defend against transport layer attacks using iptables for the Linux operating system.


 *  **Port Scan Defense:** In order to protect against port scan attacks, the Tart European Division has implemented a tool called psad to monitor when intruders run port scanning tools such as nmap against the Tart network. Psad monitors network traffic that is based upon the iptable chains that are on the Linux firewall machine. If an intruder decides to run a port scan against any port that does not match the Linux firewall iptables, the intruder’s ip address is logged along with the host that received the port scan, along with the ports that were scanned.


 *  **Man in the Middle Attacks:** Defending against man in the middle is achieved by implementing a trusted certificate authority (CA). This is done by using OpenSSL to generate a self-signed certificate for a server and a client. Once distributed, clients authenticate to a server with their designated certificate and are verified through public and private keys. The Tart European Division has implemented a self-signed CA through OpenSSL for VPN users.


 *  **SYN Flood Attacks:** These attacks are done entirely with the TCP protocol, this form of attack is also known as a denial of service attack (DoS). The Tart European Division’s network has addressed this issue with the following iptables chain:

//Iptables –I FORWARD 1 –p tcp –syn –m limit –limit 1/s –j ACCEPT//

The above statement limits the amount of SYN packets to one per second, which makes denial of service attacks a lot harder to perform.