Understanding the OSI (Open Systems Interconnection) model layers is the key to successfully troubleshoot and resolve security issues. The 7 layers of the OSI model – Application, Presentation, Session, Transport, Network, Data link and Physical layers each relate to different network communication processes. Security risks are faced up and down the stack.
Physical Layer
A great starting location for troubleshooting issues in the network is the physical layer. It is also the logical starting point for security. Layer 1 has various cables, hubs, modems and wireless access points. It is important that these resources are locked down and secured. Depending on the sensitive nature of the data, various security measures should be used such as biometric, PIV (personal identity verification) cards, security cables and locks. Training employees to defend against social engineering is important to reduce risk.
Data Link Layer
The data link layer consists of ARP, PPTP, STP, switches, frame relay and error detection capabilities. Switches are a type of smart device in a network that can learn the MAC (Media Access Control) address, a unique identifier on the network adapter (NIC card). This allows the ARP protocol to function. When typing arp –a at the command prompt in Windows, it is possible to match the IP addresses on the network with their corresponding MAC address.
If a customer is complaining of an unstable connection to the network, ssh (application layer protocol) into a high end HP switch for instance. CRC (cyclic redundancy checks) errors might possibly be occurring due to a broken cable connector such that it is not securely in the port on the computer. Resolution would be to replace the Cat 6 cable or at least replace the cable connector. The error detection from this layer saves a great deal of time in resolving physical layer issues.
A particular vulnerability in the data link layer is collisions. The STP (spanning tree protocol) prevents collisions on a switch by preventing the creation of bridging loops in the network. A spanning tree attack alters the configuration of the switch ports to forwarding mode causing collisions. STP has to be fixed by repairing the BPDU (Bridge Protocol Data Units).
Network Layer
The network layer has a very important job of moving data from point A to point B. Routers operate on the network layer. Routing is defined as the process of moving information across an internetwork like the Internet, from source to destination. The method involves two basic activities: determination of the best, or optimal, routing paths and the transport of data packets through the internetwork.
Routers regularly exchange network topology information with each other via one or more routing protocols. With the information thus obtained, each router can independently compute the “best” route, or path, through the network that any given packet should take to a given destination. Depending on the requirements of the network administration and the routing protocol being used, paths may be optimized for minimum number of hops, lowest delay, highest bandwidth, or other factors.
Each time a router receives a packet, it consults its routing table to determine the current best path from itself to the destination network. It then transmits the packet on the appropriate link towards the next router, which consult its own routing table to again transmit the packet toward its destination.
The transportation of data packets can be done either with static routing or dynamic routing. Static routing is generally not used although it is the easiest to implement. With static routing, there is only one choice for every routing decision. Because static routing systems cannot react to network traffic changes, they are generally considered bad for large, constantly changing networks.
Unlike static routing, dynamic routing algorithms adjust, in real time, to changing network circumstances. They accomplish this by analyzing the incoming routing update messages. If the message indicates that a network change has occurred, the routing software recalculates routes and sends out new routing update messages. These messages permeate the network, causing the other routers to rerun their algorithms and update their tables.
Dynamic routing allows a routing decision to be influenced by external factors, such as system availability, network load, and other reasons. A type of dynamic routing that is used is BGP (Border Gateway Protocol).
IP Addressing Spoofing is vulnerable at this layer. There is no IP validation of the source address node, making it relatively easy to spoof the target IP address.
Transport Layer
The transport layer is considered the middle layer. The lower layers focus on connectivity and networking. The upper layers are concerned with software applications. The transport layer helps transmit data from various applications. It acts as a bridge bringing both the lower and upper layers together.
The transport layer provides for end-to-end data transport services and controls the reliability of data transfers along with the quality of the communications. This layer has two very important protocols – TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
TCP is a connection-oriented, reliable and guaranteed delivery protocol. Software at the transport layer establishes a logical connection between two computer systems or applications when requested. When it receives data, it sends it in chunks or segments to the network router for delivery. As it is being sent out, TCP is checking for transmission errors, lost packets and segment delivery order. Since TCP guarantees delivery, it will automatically detect and discard errors. Recovery can occur by retransmission of the bad segment to the receiver if there is not an acknowledgement of a particular segment.
UDP is very different from TCP. UDP does not guarantee anything. It is connectionless and unreliable. No handshake between the endpoints for the data or error control. Nevertheless, UDP is used in many applications that rely on real time data such as media streaming, gaming, live chat and VOIP (Voice over IP). UDP is great for real time services as there is no data lag.
SSL/TLS is used in browsers and in email applications. It protects data from unauthorized disclosure and modification between the client (browser or email application) and the server. With a browser open such as Firefox on a website, look for a closed padlock. The padlock will indicate that the data between the browser and the server that houses the website was encrypted and that it would be difficult for unauthorized people to view or modify the data. It is important to note that the protection provided by the protocol is for data in transit and not at rest.
Transport layer vulnerabilities are numerous. Port scanners operate at this level and can give useful information to unauthorized individuals. Knowing what the available ports are is a useful tool that attackers use when probing networks for intelligence. TCP segments are sequential in order and have the potential of being hijacked. Attackers can guess the next sequential number and can take over an endpoint. Trojans and malware also take advantage of computers at the transports layer. They can infect TCP and UDP ports, requiring antivirus programs to clean the infection.
Session Layer
The session layer is responsible for establishing a connection between two applications or networks, managing the connection and releasing or tearing down that connection. Essentially, the layer keeps data flowing between applications or networks and attempts to avoid premature termination of the session.
Domain Name System (DNS) is a part of the session layer and of course the application layer. DNS is a distributed database system that translates the Internet names or server names into IP addresses. There are so many hostnames that a local DNS server will not be able to keep all of the information and will invariably request assistance from another DNS external to the network. The sessions between the DNS servers needs to be maintained to facilitate communications on the Internet.
Another protocol, SQL is also in the session layer. SQL is a language for querying and accessing data in a database. The host issues queries to the database server. This involves establishing and maintaining a session to ensure its success.
DNS or session hijacking takes place at this level. An attacker redirects a user’s DNS request to their own compromised DNS server. There the attacker can serve up a spoofed website.
Presentation Layer
The presentation layer presents data in a format that all computers can understand. There are no protocols. This layer is where file level compression, formatting and encryption (such as PGP and SSL) are completed.
Most attacks at the presentation layer are directed towards acquiring the encryption keys.
Application Layer
The application layer is concerned with providing end users with services that help with the exchange of information and is well integrated with directory services. The application layer is not referring to user software like web browsers or Microsoft Office but rather the services that support the applications.
Services such as FTP (File Transfer Protocol), Telnet, SSH, SMTP (Simple Mail Transfer Protocol), SNMP (Simple Network Management Protocol) and HTTP (Hypertext Transfer Protocol) are supported at this layer. FTP allows a user to access, retrieve and manage files on a remote computer. Telnet provides access to a remote host using a command line interface but it is not recommended to use this especially over an open network like the Internet. SSH is a much more secure protocol and is the recommended way to connect with a remote host. SMTP is used for the transfer of mail messages and attachments. SNMP allows for queries into network systems and helps with gathering information on those systems. HTTP transfers and displays hypertext documents or web pages of the World Wide Web. Those protocols and others at this layer provide the services that make up the application program.
Directory services include such things as authentication. A common form of authentication is the username and password. The user should have a unique ID that follows a common naming convention and a complex password. The username and password should be encrypted with the Kerberos protocol. Kerberos is a time sensitive protocol and needs to be synchronized using NTP (Network Time Protocol) to a time source.
There are many vulnerabilities in the application layer. Malware, adware, trojans, viruses and spyware take up residence in this layer. Protection against these attacks is of great importance. Using antivirus software and more specialized application programs such as Malwarebytes and AdwCleaner can improve the level of protection for the computer systems.
The overview of the OSI model helps in identifying the key structures of a typical network and the underlying problems that can possibly harm it. Gaining a better understanding of the OSI model should lead to better security.
© 2016 Michael Carr