5.1.1. OSI and TCP/IP Models: Security Layer by Layer
💡 First Principle: The OSI model provides a universal vocabulary for describing where in the communication stack something happens. When someone says "this is a Layer 3 attack" or "this control operates at Layer 7," they are using OSI layer references to communicate precisely about the scope and nature of a security event. Without this shared vocabulary, security discussions become ambiguous.
The OSI Model — 7 Layers:
| Layer | Name | PDU | Key Protocols | Security Role | Attack Examples |
|---|---|---|---|---|---|
| 7 | Application | Data | HTTP, HTTPS, SMTP, DNS, FTP | WAF, application controls | SQL injection, XSS, phishing, buffer overflow |
| 6 | Presentation | Data | TLS/SSL, JPEG, ASCII, MIME | Encryption/decryption | SSL stripping, certificate attacks |
| 5 | Session | Data | NetBIOS, RPC, SQL sessions | Session management | Session hijacking, replay attacks |
| 4 | Transport | Segment | TCP, UDP | Stateful firewall, port filtering | SYN flood, port scanning, TCP hijacking |
| 3 | Network | Packet | IP, ICMP, IPsec, OSPF, BGP | Router ACLs, IP filtering | IP spoofing, route injection, ICMP attacks |
| 2 | Data Link | Frame | Ethernet, Wi-Fi (802.11), ARP, STP | Switch security, VLAN | ARP spoofing, MAC flooding, VLAN hopping |
| 1 | Physical | Bit | Cable, fiber, radio, hubs | Physical access control | Wiretapping, jamming, hardware tampering |
Memory aid: "All People Seem To Need Data Processing" (Application, Presentation, Session, Transport, Network, Data Link, Physical — top to bottom) or reversed: "Please Do Not Throw Sausage Pizza Away."
TCP/IP Model vs. OSI:
| TCP/IP Layer | Maps to OSI | Key Protocols |
|---|---|---|
| Application | Layers 5, 6, 7 | HTTP, DNS, SMTP, FTP, SSH, TLS |
| Transport | Layer 4 | TCP, UDP |
| Internet | Layer 3 | IP, ICMP, ARP |
| Network Access | Layers 1, 2 | Ethernet, Wi-Fi, PPP |
TCP vs. UDP — the fundamental transport choice:
| Feature | TCP | UDP |
|---|---|---|
| Connection | Connection-oriented (3-way handshake) | Connectionless |
| Reliability | Guaranteed delivery, ordered | Best-effort, unordered |
| Error checking | Checksum + retransmission | Checksum only (optional) |
| Flow control | Yes (windowing) | No |
| Speed | Slower (overhead) | Faster (minimal overhead) |
| Use cases | HTTP/S, SMTP, SSH, FTP — where data integrity matters | DNS, DHCP, VoIP, streaming, SNMP — where speed > guaranteed delivery |
| Attack surface | SYN flood (exhausts half-open connections) | UDP flood (high volume, stateless) |
TCP 3-way handshake:
Protocol Data Units (PDUs) by layer:
- Layer 7-5: Data
- Layer 4: Segment (TCP) / Datagram (UDP)
- Layer 3: Packet
- Layer 2: Frame
- Layer 1: Bits
⚠️ Exam Trap: ARP operates at Layer 2 but resolves Layer 3 addresses (IP → MAC). ARP spoofing is therefore a Layer 2 attack — a Layer 3 firewall cannot prevent it. Defense requires Layer 2 controls: Dynamic ARP Inspection (DAI) on switches, which validates ARP replies against a trusted DHCP snooping table.
Reflection Question: An attacker is poisoning ARP tables on a switched network to intercept traffic between two hosts. Identify the OSI layer at which this attack operates, explain why traditional firewalls cannot detect it, and name the specific switch-level control that prevents it.
