What are the 7 layers of the OSI model?
The OSI (Open System Interconnection) model is a conceptual framework that describes how networking systems function. The OSI model uses seven different layers to visualize the operation of a networking system.
There are many possible cybersecurity and IT use cases for the OSI model. For example, webmasters and network operators use it to troubleshoot networks and pinpoint problems. Software developers use it to identify which layers a software program needs to work on and/or with.
This post covers all you need to know about the OSI model and its seven layers:
What is the OSI model?
OSI stands for “Open System Interconnection”, a model created by the well-known ISO (International Organization for Standardization) to standardize and visualize how computing and telecommunication systems communicate with each other. The universal, standardized language established in the OSI model allows us to divide all computer and networking systems into seven basic layers with seven different functions.
Brief History of the OSI Model
Although it wasn’t yet widely available for home consumers, networking technology took off during the early and mid-1970s.
Back then, networking technology was either owned by large companies, like IBM and DECNet, or government sponsored, like ARPANET in the US. All the different technologies were not yet standardized, so communication between different platforms was simply impossible.
To tackle the issue, the ISO started an initiative to develop a standardized method for networking in 1977. At the same time, the French organization CCITT (Comité Consultatif International Téléphonique et Télégraphique, which translates into “International Telegraph and Telephone Consultative Committee“) also started a similar process. Both parties actually developed similar networking models. ISO published a document defining the OSI model in its raw form in February 1978, and CCITT published another document with a refined version of the OSI model in 1980.
In 1983, the two documents were merged, creating the OSI Reference Model, or just OSI model, officially published in 1984 as standard ISO 7498, as well as standard X.200 by CCITT (which has now been renamed to “ITU-T”, the Telecommunications Standardization Sector of the International Telecommunication Union).
The now-famous seven-layer OSI model was the work of Charles Bachman from Honeywell, and is still available and relevant today, almost 40 years after its conception.
7 Layers of the OSI Model: Overview
- Layer 7 (Application Layer): Closest to the end-users, this layer interacts directly with the software application, which in turn interacts with the end-users.
- Layer 6 (Presentation Layer): Manages the presentation of data to end-users, also where data encryption occurs.
- Layer 5 (Session Layer): Maintains sessions (connections), responsible for managing dialogues between computers.
- Layer 4 (Transport Layer): Facilitates transportation of data (with varying length, type, and size) with transmission protocols.
- Layer 3 (Network Layer): Facilitates transportation of packets from one network to another.
- Layer 2 (Data Link Layer): Acts as a link between two directly connected networks (or nodes).
- Layer 1 (Physical Layer): Facilitates the sending and receiving of unstructured raw data between a physical device and a physical transmission medium (e.g. a cable).
Each layer of the OSI model has a very different role from the other layers, and one layer can only directly connect with the layers below and above it. Due to the distinct characteristics between different layers, the OSI model is very useful for narrowing down and pinpointing network issues and isolating the cause of a problem.
The main principle of the OSI model is about passing control and information from one layer to the next, starting from the top (7th) application layer proceeding to the bottom (1st) physical layer. Once control and information reach the bottom layer, the information makes its way to the physical layer of the destination, and then is transferred layer by layer until it reaches the top, application layer of the destination.
When we send an email, for example, the email starts at the application layer of the source, and then makes its way down until it reaches the physical layer. Then, it gets transferred across until it is received by the destination physical layer, and then it transfers up the stack to the destination’s application layer.
3 Golden Rules of the OSI Model
- Each OSI layer can only communicate with the layer directly below and above it. There’s no lower layer for the physical layer, and there’s no upper layer for the application layer.
- Each layer is independent and can be developed independently to allow the development in one layer to progress without being delayed by other layers.
- When data is moving from the upper layer to the lower layer, each layer will add its header (basically, a bundle of information) on top of the actual data in a process known as encapsulation. On the other hand, when data is moving from the lower layer to the upper layer, each layer will unpack the headers and use the information to obtain the actual data in a process known as decapsulation.
Below, we explore how each of the seven layers relates to cybersecurity for your business and customers.
Cybersecurity Risks at Each Layer
The OSI model is useful in cybersecurity, especially for pinpointing incoming attacks and vulnerabilities. Due to the independence of each layer, different OSI layers have their own unique vulnerabilities. When an attack occurs, we can use our understanding of the seven layers to quickly identify the type of attack and the best solution to block it.
In a cybersecurity context, the seven layers of the OSI model are typically divided into two different groups:
- Media Layers: The first three layers (from the bottom).
- Host Layers: The top four layers.
Media Layer: Risks, Vulnerabilities, & Security Best Practices
- Physical Layer (Layer 1)
The first layer of the OSI model is typically used to evaluate the technical qualifications of the incoming data transmission. Technically, the physical layer can only be directly attacked when the attacker has physical access to the hardware. However, during an attack to the upper layers, cutting power from your physical devices (e.g. unplugging the cable) is often a recommended security measure. Protection of the physical layer mainly involves preventing physical access via monitoring (e.g. camera surveillance) by adding keycards, passwords, biometric-based security, and/or other security protocols.
- Data Link Layer (Layer 2)
Layer 2 handles data packets from the physical layer. Common vulnerabilities here are VLAN hopping and MAC address spoofing. Common security methods to protect layer 2 include proper data encryption standards, MAC address filtering, and protection of wireless applications.
- Network Layer (Layer 3)
The main function of the network layer is handling the addressing and routing of packets. Thus, the main vulnerability is IP address spoofing, tricking the layer into thinking it has received a packet from authenticated IP addresses when, in fact, the packet came from a malicious source. Proper implementation of firewalls, anti-spoofing measures, routing filters, and secure routing protocols are needed to protect layer 3.
Host Layer: Risks, Vulnerabilities, & Security Best Practices
- Transport Layer (Layer 4)
Facilitating the transportation of data sequences with variable lengths, the transport layer is also responsible for the error checking of data packets. Therefore, despite being a host layer, layer 4 is still prone to some of the threats common to the media layers. It is especially vulnerable to SYN floods and smurf attacks, which are two subtypes of distributed denial of service (DDoS) attacks. Layer 4 benefits from the implementation of adequate firewalls, assessment of transmission protocols, and ensuring the use of appropriate port numbers.
- Session Layer (Layer 5)
The session layer is responsible for handling interactions between applications (both local and remote), and is especially vulnerable to session hijacking attacks including brute force attempts, as well as threats such as XSS (cross-site scripting) and cookie theft, among others. To protect layer 5, it’s crucial to enforce the use of encryption protocols, especially HTTPS.
- Presentation Layer (Layer 6)
The presentation layer’s main function is to standardize incoming data with various conversion schemes to ensure the data is presentable to the end-user. Encryption also happens on this layer. Thus, attackers often look for potential encryption flaws to attack layer 6 via network Interception attacks or other forms of SSL hijacking. To prevent risk, proper input validation and sanitization of inputs are often employed.
- Application Layer (Layer 7)
The highest layer of the OSI model, and the closest to the end-user, all kinds of services like web browsers, email, and more happen on layer 7. While applications themselves may not be part of this layer, the services they offer always are. That’s why layer 7 is the most vulnerable when it comes to cybersecurity.
All types of malware—viruses, keyloggers, Trojans, and so on—target the application layer. Many IT security and cybersecurity experts focus on preventing and mitigating the impacts of cybersecurity attacks on layer 7.
7 Layers of the OSI Model & Cybersecurity: In-Depth Discussion
Layer 1: Physical Layer
The OSI layer 1, physical layer, is the bottom layer in the OSI model, and as the name suggests, covers the physical components of the network or computing system: cables, routers, endpoints, etc.
The physical layer defines the physical properties of the computing or network system (e.g. cable types needed, types of interface pins, voltage levels, etc. ). However, Wi-Fi is also considered a physical component of the network, which is often overlooked.
Potential Vulnerabilities of the Physical Layer
Most cybersecurity risks associated with the physical layer are caused by some type of physical action: cutting cables, disrupting a power source, stealing data by physically inserting a USB drive, and so on. Even the smallest of physical components, when compromised, can bring down the entire computing system.
Protecting the Physical Layer
While protecting your physical assets might seem obvious, don’t underestimate the importance of cybersecurity best practices. It is crucial to consider contingency planning to protect your network’s physical assets at all times.
Layer 2: Data Link Layer
The data link layer of the OSI model essentially receives and transmits packets of information from and to the physical network devices. It manages how much data should be allowed to be transferred to the next layer and assesses possible errors in data transmission.
Layer 6 can also be divided into two sub-layers:
- Logical Link Control (LLC)
- Media Access Control (MAC)
The MAC sublayer (the MAC address) provides a unique identity for a device, while the LLC sublayer acts as an interface between the device and the network layer (the layer above the data link layer in the OSI model).
Potential Vulnerabilities of the Data Link Layer
The layer is designed to be simple and practical (and not originally designed with security in mind), which is why there are various vulnerabilities and potential threats.
All transmissions that happen in the data link layer include a frame, which is a protocol data unit essential to encapsulation and decapsulation of data. Each frame has a header, body, and trailer. If an attacker can access and edit the frame in any way, the transmitted data is essentially compromised.
MAC address spoofing/flooding, VLAN hopping (VLAN circumvention), and address resolution protocol poisoning are common cybersecurity threats targeting the data link layer.
Protecting the Data Link Layer
The primary method of protecting the data link layer from incoming threats is to limit access as much as possible. There are several effective ways to limit access:
- Encrypting data passing through the data link layer.
- Ensuring appropriate VLAN implementation and configuration to reduce risks of VLAN hopping.
- MAC address filtering to prevent MAC address spoofing and flooding.
- Disabling ports to deny access whenever possible.
Layer 3: Network Layer
The network layer routes and reroutes data through various physical networks, facilitating data transmission to its destinations.
In practice, routers make decisions on where to route the data based on information provided by layer 3. Once data is received, the IP (Internet Protocol) address is added to the device by the network layer, which tells the data packet where it should go. The network layer uses protocols to manage the traffic, such as IPv6 and IPv4, and there are various protocols available.
Potential Vulnerabilities of the Data Link Layer
There are three main ways cybercriminals can attack the network layer:
- Overloading the network, especially via volumetric DDoS attacks. Ping flood is a common type of DDoS attack targeting the network layer, where the attacker sends an ICMP (Internet Control Message Protocol) ping repeatedly to overload the entire network.
- IP spoofing, altering the source IP to fool the layer.
- IP sniffing, using packet analysis to learn about a user and scan other potential vulnerabilities. When the attacker finds an unsecured connection, it can steal valuable data via IP sniffing.
Protecting the Network Layer
Implementing strong enough firewalls is critical in protecting the network layer from potential attacks. Other techniques include:
- Packet Filtering: Only allowing specific incoming packets to enter the network layer based on IP addresses, protocols, and other criteria (aka “allow-listing”).
- Anti-Spoofing: An umbrella term for various techniques used to identify and block data packets that have a false (spoofed) IP address.
Layer 4: Transport Layer
The transport layer manages the transportation of data, facilitating a reliable arrival of data while also providing error-checking functions and data flow controls.
In practice, layer 4 establishes protocols and functions for the transportation of data in variable lengths between the source and the host. Data comes in different sizes, and is broken up into data packets. Policies and rules must be established for how to perform the data segmentation.
There are two main protocols associated with the transport layer:
- TCP (Transmission Control Protocol)
- UDP (User Diagram Protocol)
The main difference between the two is that UDP prioritizes speed over quality of transmission, and vice versa, TCP prioritizes data quality over speed.
Potential Vulnerabilities of the Transport Layer
When discussing cybersecurity, the transport layer is the first among the four top layers categorized as “host layers”. However, due to its direct interaction with the network layer, the transport layer is often vulnerable to some of the threats common to the media layers described above, especially threats involving protocols and ports.
The transport layer is not often targeted directly by attackers, unless it is a DDoS attack. Two common DDoS techniques used to attack the transport layer are Smurf attacks and SYN floods.
- SYN Flood: The attacker floods the transport layer using spoofed IP addresses and does not wait for the transport layer to finalize the connection, which ends up crashing the network.
- Smurf DDoS: Uses malware to attack the transport layer, which ends up overloading your network resources.
Another prevalent issue to consider in the transport layer is the fact that cybercriminals and attackers may use the layer to scout vulnerabilities in your system, and especially to learn about how to get into the session layer (layer 5).
Protecting the Transport Layer
Since layer 4 is a great place for attackers to scout your whole system, it’s best to limit access to the transport layer as much as possible. A common practice is to configure your firewalls to only allow what is absolutely necessary (allow-listing) and also to lock down ports and other possible access points to the transport layer. It is crucial to establish appropriate tools to detect and stop port scanning, tools like scanlogd, for example.
Layer 5: Session Layer
The session layer, sometimes called the “port layer”, facilitates the setting up and taking down of connections between two endpoints. When two endpoints are communicating with each other, it’s called a “session”, hence the name of the layer.
For example, when a user wants to read an email, a session between the user’s device and the email’s server must be established. The session layer is responsible for creating, managing, and closing the session.
Potential Vulnerabilities of the Session Layer
“Session hijacking”, the most common type of attack targeting the session layer, refers to any type of cyberattack that exploits the web session control mechanism. There are various techniques attackers use to perform session hijacking attacks, for example:
- Cross-Site Scripting (XSS): The attacker uses malicious codes running at the client side to take control of the session.
- Sidejacking: Using unauthorized credentials to hijack a valid session, e.g. credential stuffing.
- Brute Force: Using malicious bots to guess users’ credentials by trying every possible combination.
Protecting the Session Layer
Here are some effective approaches you can use to protect the session layer from session hijacking attacks:
- Make sure the system is coded and configured properly.
- Prevent client-side programs from accessing cookies.
- Make sure to regenerate session ID after each authentication has been established.
- Enforce the use of protocols that ensure encryption (HTTPS).
- Limit failed session attempts to prevent brute force attacks.
- Add timing methods to sessions.
Layer 6: Presentation Layer
The main role of the presentation layer is to ensure the incoming data is in an appropriate, presentable form for the recipient. Layer 6 is responsible for converting and formatting the machine-readable code into a form the end-user can understand and use in the application layer. Data encryption also happens in this layer.
Potential Vulnerabilities of the Presentation Layer
Since layer 6 is where encryption happens, especially when using an HTTPS website, attackers may look for encryption flaws here to gain access and attack the whole system.
SSL hijacking is an important threat targeting the presentation layer in which the attacker looks for ways to install malware on the system, and then performs a network interception attack by using a proxy to serve as a wrong certificate authority. The browser will then trust the unauthorized authority, and the attacker will be able to access the data.
Protecting the Presentation Layer
SSL hijacking often happens due to bad coding practices, so it’s crucial to ensure your system is coded properly, and be extra careful when integrating new software/applications into the system.
It’s also very important to ensure your antivirus (anti-malware) solution is adequate and up-to-date to prevent malware from entering your network/system/devices and inviting SSL hijacking attacks.
Layer 7: Application Layer
The application layer facilitates end-user interaction with the application (or the services provided by an application). Layer 7 of the OSI model defines various standards for interaction at the end-user level. For example, the application layer is responsible for file transfer between devices.
Layer 7 is the layer most end-users will be familiar with, even if they don’t understand anything about the OSI model. It is also the layer most frequently targeted by cybercriminals.
Potential Vulnerabilities of the Application Layer
Cybercriminals target layer 7 in various different ways, including but not limited to:
- Layer 7 DDoS Attacks: Also called “application-layer DDoS”, this attack attempts to overwhelm the network or system with common internet requests like HTTP GET and HTTP post. Layer 7 attacks are very effective because it takes a minimal amount of resources on the attacker’s side while the impact on the system can be massive.
- Credential Stuffing, Credential Cracking, and ID/Password Sniffing: Methods to gain access to end-user accounts (account takeover attacks).
- Malware: Viruses, keyloggers, worms, Trojans, and all types of malware attacks target layer 7.
Protecting the Application Layer
Specialized mitigation solutions must be employed to properly protect the system from layer 7 DDoS attacks, and the usage of an advanced anti-virus solution is also necessary.
Conclusion
After exploring all you need to know about the 7 layers of the OSI model and the potential cybersecurity threats for each layer, you should understand the importance of protecting each layer.
Get a top-level view of the cyber threats targeting your system with a free 30-day trial of DataDome.