In the cybersecurity world, threats are often described as targeting a specific layer. But what does that actually mean? The idea of OSI layers is foundational to computer science as a whole, as it explains how data signals travel from one place to another. In this article, we’ll explain what OSI layers are, the most common model used to describe them, and what cyberattacks are used to target each layer.
The Open Systems Interconnection (OSI) model was created by the International Organization for Standardization (ISO) to describe how computer networks are structured and how data signals travel from one system to another. The model divides the network into seven layers, with physical hardware at the bottom and software applications at the top.
The OSI model is often considered to be a universal language for discussing computer networks. It’s also one of the first things taught to new computer science students, as network architecture is foundational to almost everything in the digital world.
The 7 layers in OSI describe a network from the ground up, starting with physical infrastructure and ending with the systems and applications that appear on a user’s screen.
The OSI model is usually displayed ‘upside down’ with Layer 7 at the top and Layer 1 at the bottom. This approach can help beginners understand the flow of data signals between two systems.
However, we are interested in the OSI model from a cybersecurity perspective. Cyber threats aren’t concerned with how data flows through the network, but with vulnerabilities that can be exploited to extract that data, cause damage, or even disrupt the network entirely.
For this purpose, it may be easier to explain how a network is built from the ‘ground up.’
Layer 1 describes the physical hardware needed to complete a data transfer. This layer mainly consists of data signals,’ which is a binary stream.
An example of a Layer 1 attack would be physically cutting a network cable.
The Data Link Layer enables the transfer of data between two devices on the same network. At this layer, data is divided into small pieces called frames. Layer 2 is also responsible for flow and error control, but only for data traveling inside the same network.
Layer 2 uses Media Access Control (MAC) addresses to connect devices and define permissions to transmit and receive data between devices. A common example of a Layer 2 attack is MAC spoofing, where one device impersonates another by using its MAC address.
The Network Layer has two functions:
Layer 3 uses network addresses (usually IPs) to send packets to the right place.
Layer 3 is where we start to see DDoS attacks becoming a common threat. Layer 3 DDoS attacks aim to exhaust the processing capacity of network infrastructure by sending high volumes of ‘junk’ data and connection requests.
The Transport Layer controls communication between two devices. To send data out, Layer 4 accepts data from the session layer (Layer 5) and breaks it up into ‘segments’ before sending it on to Layer 3. To receive data, Layer 4 reassembles segments from Layer 3 and sends them on to Layer 5.
To avoid performance issues and lost data, Layer 4 also completes flow and error control, sending data at a rate the receiving device can cope with. Knowing this, it doesn’t take much imagination to guess how a threat actor could attack the Transport Layer.
DDoS is a common Layer 4 threat and functions similarly to the Layer 3 DDoS attacks described above.
The Session Layer opens and closes communication channels (‘sessions’) between two devices. It does this in three steps:
For obvious reasons, interrupted sessions cause significant problems. To remedy this, the Session Layer can also set ‘checkpoints’ during a session. That way, if a data transfer is interrupted, it can resume when the session is reopened.
Historically, Layer 5 has seen relatively few cyber threats, particularly in an enterprise environment. However, there have been some Layer 5 DoS attacks, as well as man-in-the-middle threats where an attacker intercepts communications between two devices, either stealing or altering the data before sending it on.
The Presentation Layer takes data from the Session Layer and prepares it for the Application Layer. It decides how data should be encoded, encrypted (usually using TLS), and compressed so it can be received and read by the receiver. For data flowing the other way, the Presentation Layer accepts data from the Application Layer and prepares it to be sent out via Layers 5-1 (and back up through Layers 1-5 on the other end).
The tasks performed at Layer 6 are resource-intensive. To attack at this layer, threat actors can send malformed TLS requests that hide HTTP-based cyberattacks.
Every piece of software—from web browsers to office software to web applications—relies on the Application layer to send and receive data and present it to the user. There are many popular Layer 7 protocols, including HTTP for web pages, FTP for file transfers, and SMTP for email.
The vast majority of cyber threats attack the Application Layer. DDoS attacks and HTTP based attacks are a common threat, as are all of the threats listed in the OWASP Top 10, and many more threats besides.
With all that said, there is a reason why the OSI model is usually shown upside down—it shows how data travels between one point and another.
If you were to sit at your computer and send a communication to a computer in another building, that data would start at the Application Layer (Layer 7) on your device, travel down to the Physical Layer (Layer 1), and then travel back up to the Application Layer (Layer 7) on the receiving end.
In other words, the data signal would follow this path:
7 → 6 → 5 → 4 → 3 → 2 → 1 → 2 → 3 → 4 → 5 → 6 → 7
Nobody ever claimed that the OSI model was perfect. Far from it.
However, the issue runs deeper than most people realize. While new recruits to the world of networking still learn the OSI model to this day, it doesn’t do a great job of explaining how modern TCP/IP networks work.
The physical network Layers (1-4) are fairly close to reality. However, in modern networks, Layers 5 (session) and 6 (presentation) are often ‘rolled up’ into Layer 7. That’s not to say that session and presentation don’t exist—just that these functions are usually completed as part of the Application Layer.
Now, all that is not to say that the OSI model has no use at all. For someone completely new to networking—who won’t be responsible for development or maintenance—the OSI model does a reasonable job of explaining how networks fit together, particularly in the physical world. It can also be helpful from a cybersecurity perspective, as it helps people understand which part of the network a specific threat targets.
However, from a more technical perspective, the OSI model has a number of issues—and it could be argued that teaching modern network infrastructure might be easier if OSI were left out.
For a more in-depth discussion on why the OSI model is or isn’t accurate, here’s some further reading:
The OSI Model is a Lie by Robert Graham >>
Response: The OSI Model Is a Lie by Ivan Pepelnjak >>