The Seven Layer OSI Model | SSCP Study Guide and DVD Training System

The Open Systems Interconnection (OSI Reference Model consists of seven layers that define how different protocols are used to transmit data from machine to machine. The International Standards Organization (ISO) created this model in the early 1980s. It is used to define how a variety of different protocols can communicate in a standard way to ensure interoperability between different types of networks. Without the OSI model, it is likely that there would be a variety of different types of networks that could only communicate with each other and not with any other type of network.

The seven layers of the OSI model are

Layer 1 - Physical
Layer 2 - Data Link
Layer 3 - Network
Layer 4 - Transport
Layer 5 - Session
Layer 6 - Presentation
Layer 7 - Application

A graphical depiction of the seven layers can be seen in Figure 7.1. Each layer of the OSI model is dependent on the layer below it to provide information so that the data can be transformed into a format that users can interpret.

Figure 7.1: The Path a Data Packet Takes as it Travels from Computer A to Computer B

As the data travels from Computer A to Computer B, it is encapsulated at each layer until it finally reaches the Physical layer and the data packet is passed across the physical medium. The process of encapsulation can be thought of as a wrapping technique. Image starting with a small ball of foil at the Application layer. As the ball of foil is passed down to each layer, another sheet of foil is wrapped around the original ball. The result is a larger ball than originally started with. The data packet then travels back up the OSI model, becoming unencapsulated at each level until it reaches the Application layer on Computer B. With this model, the data packet is exactly the same at the Application layer on each machine regardless of what operating system each is running.

The OSI reference model is a layered approach to computer networking. It allows different processes to function at different layers of the model to provide uniform communication between computers. Computer security is similar to the OSI model in that it should be layered. If you understand the OSI model, you will understand that you cannot simply protect the Application layer with an antivirus program and expect your network to be safe from attack. As you look at each layer in more detail, keep in mind how each layer is vulnerable to different types of attacks and how they can be protected. Only through a layered security approach can you expect to have a secure network.

Exam Warning

The SSCP exam expects you to know the different layers of the OSI model and how it relates to layered security. You should know what layer specific protocols and devices reside at. If you can name what layers a protocol or device is at, it should be easier to name what OSI layer a specific network attack occurs at.

For example, as seen in Figure 7.1, Internet Protocol (IP) resides at the Network layer. So, if you were asked at what level an IP spoofing attack occurs, you would relate IP spoofing to IP and thus to the Network layer.

Layer One: Physical Layer

The Physical layer defines how data is passed across a network at the electrical, physical, and mechanical level. At this layer, actual bits are being passed across a medium as a physical electrical signal. Physical items at this layer are cabling mediums and low level networking devices, which are described in the following sections. The security risks associated with the Physical layer relate to some type of physical action such as wire tampering or power disruption. At this layer, the security administrator should guard against attackers having access to their physical wiring. In many organizations, the wiring is very insecure. An intruder cutting wires in an easily accessible location could cause significant network disruption and result in lost productivity. This is also the layer where an attacker will tap into a wire. The act of wire-tapping allows an intruder to intercept the physical signal and interpret it to extract information that is being passed across a network. If security is a primary concern, the administrator should consider shielding network cables and keep physical locations such as wiring areas secured.

If a device can be physically touched and is used to transmit data, it is most likely located at the Physical level. Some examples of items located at this layer are:

Wireless Ethernet radio waves
Twisted-pair copper cable
Coaxial cable
Fiber-optic cable
Hubs and Switches
Repeaters

These devices are explained more fully in the following sections.

Exam Warning

Questions on the test regarding the Physical layer may have concerns about secure versus insecure communications medium. You should remember that the most secure type of cabling for a network is fiber optics because it very hard to physically tap into the cable. The most insecure physical network medium is wireless networking, or Institute of Electrical and Electronic Engineers (IEEE) 802.11.

Wireless Ethernet Radio Waves

This is the newest network medium defined by the IEEE 802.11 standard. The original 802.11 standard allows data transmission speeds of 1 or 2 Mbps and uses the 2.4 GHz band radio frequency. The 802.11a standard provides transmission speeds of up to 54 Mbps and uses the 5 GHz band radio frequency. The 802.11b standard is probably the most popular rendition of the original standard, and provides speeds of 11 Mbps and fallback speeds of 5.5 Mbps, 2 Mbps, and 1 Mbps. 802.11b uses the 2.4 GHz band radio frequency.

Twisted-Pair Copper Cable

A twisted-pair copper cable is a cable that resembles a large phone cable. It is the most common form of cabling used in today's networks. The physical connection for twisted pair is called an RJ-45. Twisted-pair cabling can be either a straight-through cable or a crossover cable. Both types of cable have eight individual wires that are inserted into a RJ-45 connector at each end of the cable. Each cable is associated with a given pin. The pins are numbered 1 through 8 on the RJ-45 connector.

In a straight-through cable, each individual cable is in the same order on both ends of the twisted-pair cable. For example, pins 1 through 8 will both look the same on each RJ-45 connector at both ends of the cable. This type of cable is used for standard connections such as a computer connected to a hub.

A crossover cable is a bit more complicated. With this type of cable, one end will have the same pin order as a straight-through cable, while at the other end the pins are in a different order. The wire that is connected to pin 1 on the first end of the cable will be inserted into pin 3, the wire in pin 2 will go to pin 6, pin 3 to pin1, pin 4 to pin 4, pin 5 to pin 5, pin 6 to pin 2, pin 7 to pin 7, and pin 8 to pin 8, and so forth. A crossover cable can be used to connect two PCs directly together without using a device such as a hub or switch.

Coaxial Cable

Coaxial cable is like a standard cable TV cable and is commonly used to connect a bus topology network. Coaxial (or coax) cable is an older type of cabling that has several different varieties. These cables are used for cabling televisions, radio sets, and computer networks. The cable is referred to as coaxial because both the center wire and the braided metal shield share a common axis, or centerline. There are a large number of different types of coax cable in use today, each designed with a specific purpose in mind. This said, many types of coax designed for a specific purpose cannot be used for something else.

Coax cabling, which can be either thinnet or thicknet, is one of the most vulnerable cabling methods in use. Due to its design, it is very unstable and has no fault tolerance.

Thinnet

Thinnet (thin coax) looks similar to the cabling used for a television's cable access connection. Thinnet coax cabling that meets the specifications for computer networking is of a higher quality than that used for television connections, so they are not interchangeable. The cable type used for thinnet is RG-58 and is specifically designed for networking use. RG-58 has a 50-ohm resistance, whereas television cables are of type RG-59 and have a 75-ohm resistance. Due to the way thinnet transceivers work (as a current source rather than a voltage source), the signal going across RG-59 cable is completely different from a signal going across an RG-58 cable.

Connections between cable segments or to computer systems are accomplished using a T-connector on each network interface card (NIC), which allows technicians to add an extra cable to the segment. In addition to having T-connectors, both ends of a thinnet cable segment must have a terminator, and one end of the segment must be grounded. A terminator is basically a 50-ohm resistor with a Bayonet Neill Concelman (BNC) connector. BNC connectors are the connectors used on the end of thinnet cables. These connectors allow the cables to be easily connected to T-connectors or barrel connectors. T-connectors are used to add a cable to an existing segment and connect a device to the segment, whereas barrel connectors are used to connect two coax cables together to form one cable.

Thicknet

Thicknet (thick coax) cabling is twice as thick in diameter as thinnet and much stiffer and more difficult to work with. This is an older style of cabling (type RG-8) that is generally used with IBM hardware. Attaching computers to thicknet cable segments is done by using a vampire tap to cut through the plastic sheath to make contact with the wires within. A transceiver with a 15-pin adapter unit interface (AUI) is connected to the vampire tap and the NIC is attached to the transceiver with a transceiver cable. Thicknet cables are similar to thinnet cables in that they require a 50-ohm terminator on both ends of the segment, with one end grounded.

Fiber-Optic Cable

Fiber-optic cable passes light photons across joined fiber segments. These cables are typically used to connect LANs together to create a high-speed WAN connection. Fiber-optic cable (referred to as fiber) is the latest and greatest in network cabling. Fiber is basically a very thin piece of glass or plastic that has been stretched out and encased in a sheath. It is used as a transport media, not for electrons like the copper cable used in coax or unshielded twisted pair (UTP)/shielded twisted pair (STP), but for protons. In other words, fiber-optic cables transport light. An optical transmitter is located at one end of the cable with a receiver at the other end. With this in mind, it takes a pair of fiber-optic lines to create a two-way communication channel.

Fiber has many advantages over coax and UTP/STP. It can transfer data over longer distances at higher speeds. In addition, it is not vulnerable to electromagnetic interference (EMI)/radio frequency interference (RFI) because there is nothing metallic in the fiber to conduct current, which also protects it from lightning strikes. Unlike coax and UTP/STP, fiber optics cannot succumb to typical eavesdroppers without actually cutting the line and tapping in with a highly complex form of optical T-connector, and when attempted, creating a noticeable outage.

The complexity of making connections using fiber is one of its two major drawbacks. Remember that these cables carry light that makes them rather unforgiving. The connection has to be optically perfect or performance will be downgraded or the cable may not work at all. The other major drawback is cost. Fiber is much more expensive than coax or UTP/STP, not only for the cable, but also for the communications equipment. When dealing with optical equipment, costs usually at least double or triple.

Exam Warning

The SSCP exam expects you to know about the advantages and disadvantages of this type of network media. You will also need to know how fiber compares and contrasts with coax and UTP/STP. Generally, fiber is used in data centers or for runs between buildings, and UTP cabling is used for connections to users' workstations.

Hubs and Switches

A hub is a physical network device that allows multiple network systems and/or devices to interconnect in one location. When one system or device plugged into the hub sends information to another, any other system or device plugged into that same hub is capable of listening to or monitoring the transaction of information. Switches are also networking devices that connect network equipment together, but unlike hubs switches maintain independent pathways for communication from each device to the other devices plugged into them. As such, no other device is able to receive a copy of the information sent from one device to another. However, there are methods that allow an attacker to do so anyway, which we will cover in Chapter 8.

Switches can operate at Layers 1 through 4. At Layer 1, a switch is responsible for physically creating the network pathways from one system to another. At Layer 2, switches operate using the Media Access Control (MAC) addresses of network cards to route packets to the correct port. Layer 3 switches (sometimes called route-switches) are closer in function to routers, and operate by forwarding packets with select criteria to specific IP addresses. Layer 4 switches can be likened to some proxy firewall functions, in that they will forward data on specific ports or using specific protocols to the specified port on the switch.

Switches offer a greater efficiency of use than hubs due to the individual pathways from each port. This will eliminate the issue of packet collisions. A packet collision occurs when two or more packets are sent across a hub at the same time. When many systems are on a hub, and are attempting to communicate simultaneously, a large number of collisions can occur. This can significantly slow down the overall performance of a network.

Switches offer greater network security than hubs by controlling the amount of data that can be gathered by sniffing on the network. With a hub, all data going across the network is sent to all ports on the hub. This means that any system connected into the hub can have a sniffer attached in order to collect all of the data going to all of the systems connected to the hub. This can give an attacker access to passwords, confidential data, and further insight into network configurations. With a switch, each connection is given a direct path to its destination, which has the side effect of blocking communications and relevant data from systems passively sniffing on the network.

Repeaters

A repeater is used to regenerate and pass on a signal to guard against a signal getting weaker as it travels over long distances. A repeater is basically a signal booster.

Layer Two: Data Link Layer

The Data Link layer is responsible for reliable transmission of data across a network. The MAC address is located at this layer. Address Resolution Protocol (ARP) is also located at this layer.

Every device on a network must have a unique MAC address. Manufacturers typically hard code the MAC address into the device. If there are conflicting MAC addresses on a network, data will not be transmitted reliably. There is software available to allow you to define the MAC address of your specific NIC. This is one method that is used to allow a person to sniff data even when the network is using a switch.

ARP is the protocol used to allow devices to locate the MAC address of other network devices. This is the layer that takes the IP request covered in the Network layer and converts it to its physical network address.

This layer makes it possible to eavesdrop on traffic passing across a switched network. If an attacker can alter the ARP cache of a switch, it can trick traffic intended for one computer to be directed to it first. The attacker's computer can then forward the packets to the intended destination so that there is no evidence of the data being intercepted.

A form of data encryption called link encryption is implemented at this layer. Using link encryption, all data going across the network is encrypted unnoticed to the end user. The downfall of link encryption is that it is encrypted and decrypted at each node the data passes through on the network. It is therefore important to make sure every device on the network supports the same type of link encryption. Also note that the header information of the packet is not encrypted using link encryption.

Layer Three: Network Layer

The Network layer is responsible for routing packets on the network between systems and forwarding them to the appropriate destination. This layer controls the flow of data across the network.

In a switched network, a message is broken up into individual packets and forwarded to the destination using the best route for each packet. The packets are then reassembled at the receiving end to recreate the original message. This is beneficial because, due to network congestion, the best route for each packet could change instantly.

IP operates at this layer. This allows traffic to be reliably transmitted through the best possible route to give the end user the fastest and most reliable connection. You can view how routing works by using the tracert command in Windows (or traceroute in UNIX). tracert is a command that sends a packet to the destination and allows you to see what path the packet took to reach the destination. If tracert is run from a few different Internet Service Providers (ISPs), the packets will likely take different routes each time tracert is run.

Routers are the main type of device that use the Network layer to send data to the appropriate destination. Access Control Lists (ACLs) can also be implemented at this layer, to reject traffic or protocols from a specific source.

There are several protocols that are located at the Network layer. Internet Control Message Protocol (ICMP) is a protocol closely associated with IP. It is used to handle errors at the Network layer. A common place ICMP is seen is when using the ping utility. Interior Gateway Protocol (IGP) is also located at the Network layer. IGP is a protocol used by routers. The two protocols that IGP encompasses are Routing Information Protocol (RIP) and Open Shortest Path First (OSPF).

Layer Four: Transport Layer

The Transport layer can be thought of as a glue layer that helps both the top and bottom layers function together. This layer helps the Application, Presentation, and Session layers communicate with each other while hiding the complexities of the lower layers. This layer also helps the Network layer with some of the reliability functions of the network. This layer involves packet sequencing, which helps the Network layer with packet rebuilding after packets have been disassembled. This layer also involves error and data flow control.

Protocols located at this layer are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is a connection-oriented protocol that provides reliable communication between devices. It is used for transmissions such as file transfer where it would not be acceptable to lose any of the packets. UDP is a connectionless-oriented protocol that is faster than TCP but does not provide the same type of reliability that TCP does. It is used for communications such as streaming audio or video where it is not as important if a small part of the data does not make it to the destination.

The TCP handshake occurs at this layer. This is the process by which a reliable connection is established between systems. When Device X wants to open a connection with Device Z, it sends a Synchronize (SYN) request to Device Z. Device Z then returns the original SYN request with a SYN/Acknowledge (ACK) request. In other words, it sends both a SYN request and also ACK at Device X's request. Device X then sends an ACK message to Device Z to verify that it received the SYN request and that the TCP connection is established. A graphical representation of the process can be seen in Figure 7.2.

click to expand
Figure 7.2: A Complete TCP Handshake; A Connection with the Server is Opened and Logged

Port scans take place at the Transport layer. An attacker uses a port scanner to determine what ports a server is listening on. The attacker can then use that information to look for vulnerabilities with services using the open ports. Port scans are very easy to detect due to the unlikely nature that a device would ever try to establish a connection with every port on a server.

A stealth port scan, known as a SYN scan, is harder to detect than a direct connect port scan because it never completes the TCP handshake and thus is usually not logged by the server itself. An example of how SYN scan works can be seen in Figure 7.3. The attacker cuts off the connection right before it is established by not sending the final ACK packet to the server. Nmap, available at www.insecure.org, is a common port scanner used by attackers.

click to expand
Figure 7.3: A SYN Scan does not Complete the TCP Handshake

Exam Warning

A port scan is the process of an attacker checking to see what services are listening on a server. If a service is listening, the attacker can then concentrate on ways to exploit the service that is on that port. This has been likened to checking all the doors and windows on a house to see if any are unlocked. A port scan is usually an opportunistic attack. This means that an attacker will usually scan hundreds or thousands of computers looking for a specific port and a specific vulnerability. Some common ports are:

Port 21 - FTP
Port 22 - Secure Shell (SSH)
Port 23 - Telnet
Port 25 - Simple Mail Transfer Protocol (SMTP)
Port 80 - Hypertext Transfer Protocol (HTTP)
Port 110 - Post Office Protocol 3 (POP3)
Port 443 - Secure Sockets Layer (SSL)

A comprehensive list of common services and their related ports can be found in /etc/services in a standard *nix (UNIX, Linux, etc) and in windows\system32\drivers\etc\services or winnt\system32\drivers\etc\services in Microsoft Windows.

The SSCP exam will likely have questions regarding different port, so it would be beneficial to know the ports and their services.

A FIN scan is another type of common port scan used. This type of scan sends a specially crafted packet with the FIN flag set. The FIN flag is normally used when closing a connection. The receiving machine will usually reply back with a reset (RST) packet if the port is open. A common problem with the FIN scan is that it does not return common results across different hosts. Another common port scan is a TCP XMAS scan. This type of scan uses a combination of FIN, URG, and PUSH flags set on a packet to attempt to detect ports without being detected.

Internet Protocol Security (IPSec) is used to create an encrypted connection between two devices. It is used to establish a secure connection for data transmission called a VPN. Since IPSec encrypts IP traffic, it is employed at the transport layer. Packet-filtering firewalls function at this layer as well as at layers 2 and 3. A packet-filtering firewall is a firewall that examines the source and destination of a packet and can deny certain packets access to the internal network.

Layer Five: Session Layer

The Session layer is responsible for establishing the connection between two devices, transferring the data, and releasing the connection. At this layer, the data is formatted so that it can be transferred between the two devices. The session also selects the appropriate network service that will be used to establish the connection.

The Session layer uses three different methods to transfer the data. Simplex allows data to move in one direction. This allows data to be sent, but does not allow a response to the data sent. This would be useful if a user were to use the Windows 2000 Net Send command to send a message to another computer on the network. Another method the Session layer uses is half-duplex, which enables data to flow in two directions, but in only one direction at a time. This allows for data to be sent and for the receiving computer to respond to the data, but it is not very efficient since data can only travel one way at a time. The third method used is full-duplex, which allows data to be sent in both directions simultaneously. This method is more efficient than half-duplex because, if there is an error or anything else that requires action by the receiving device, it does not have to wait for the entire data transmission to finish before replying. This method is also the most complicated.

Three phases are involved when the Session layer establishes a connection. First, the device that begins the session defines the rules or network service that will be used to transfer the data. Second, after each device agrees on the network service to be used, the data transmission begins. For both devices to know how to speak with each other and detect errors a common network service must be selected that both devices are compatible with. The third phase is when the data transmission is finished and the connection is terminated.

The following are some examples of session layer protocols:

Network File System (NFS) protocol allows users to view network disks and have them seem as if they were on the local machine.
X11 is a protocol that uses a client/server model to draw a graphical interface for local or network applications.
Remote Procedure Call (RPC) is a client/server model used for network services.

Layer Six: Presentation Layer

The Presentation layer's main responsibility is to make sure that data is formatted in a common method that can be read by the Application layer and passed down to the Session layer. This layer receives data from the Application layer and makes sure that it is in the proper format before sending it to the Session layer. If it is not in the proper format, it converts that data to the proper format. These steps of verifying the format of the data and converting it if necessary, is performed the same way as if that data if going up the OSI model from the Session layer through the Presentation layer to the Application layer.

This layer also functions as a translator for text and data-character representations such as Extended Binary-Coded Decimal Interchange Mode (EBCDIC) or the better-known American Standard Code for Information Interchange (ASCII). Data compression and decompression are two other functions associated with this layer.

Data encryption such as end-to-end encryption takes place at this layer. With end-to-end encryption, the data is encrypted before it is sent, and decrypted when it is received. Using this type of encryption, the lower layers on the OSI model are not even aware that the data was encrypted.

Some of the common formats associated with the Presentation layer are the following:

Joint Photographic Experts Group (JPEG) format is a common graphics format.
Musical Instrument Digital Interface (MIDI) is a format used for digital music.
Motion Picture Experts Group (MPEG) is a standard for compressing and encoding digital video.
Tagged Image File Format (TIFF) is another common graphics format.
Graphics Interchange Format (GIF) is yet another graphics format.

Layer Seven: Application Layer

The Application layer provides a standard interface to interact with the data. This is the highest layer in the OSI model and is responsible for providing a common user interface.

This layer should not be confused with an actual application such as Microsoft Internet Explorer or Netscape. This layer does, however, provide HTTP, which formats the data in a common manner so that the output looks similar in both Internet Explorer and Netscape.

The following are some other Application layer protocols:

File Transfer Protocol (FTP) is used to transfer files across a data network.
Simple Mail Transfer Protocol (SMTP) is used to transfer mail between different types of servers.
Trivial File Transfer Protocol (TFTP) is a simpler form of FTP.
Simple Network Management Protocol (SNMP) is a set of protocols used to manage complex networks.

This is probably the most common layer exploited for security vulnerabilities. For example, a fairly recent vulnerability allowed an attacker to perform a Denial of Service (DoS) attack on many pieces of equipment that had SNMP enabled. The CERT advisory can be found at www.cert.org/advisories/CA-2002-03.html.

Exam Warning

On exam day, remember that most major security vulnerabilities do not stem from protocols that reside at the Application layer. Most major vulnerabilities are caused by the software applications that interface with the protocols at the Application layer.