OSI 7 layer applied to infosec

A Priest Saw Two Nuns Doing Pushups

(7-1 mnemonic)

Please Do Not Throw Sausage Pizza Away

(1-7 mnemonic)

Layer 1 - Physical layer

At the bottom of our OSI bean dip we have the Physical Layer, which represents the electrical and physical representation of the system. This can include everything from the cable type, radio frequency link (as in an 802.11 wireless systems), as well as the layout of pins, voltages and other physical requirements. When a networking problem occurs, many networking pros go right to the physical layer to check that all of the cables are properly connected and that the power plug hasn’t been pulled from the router, switch or computer, for example.


  • Loss of Power
  • Loss of Environmental Control
  • Physical Theft of Data and Hardware
  • Physical Damage or Destruction of Data And Hardware
  • Unauthorized changes to the functional environment (data connections,removable media, adding/removing resources)Disconnection of Physical Data Links
  • Undetectable Interception of Data
  • Keystroke & Other Input Logging

Access controls

  • Locked perimeters and enclosures
  • Electronic lock mechanisms for logging & detailed authorization
  • Video & Audio Surveillance
  • PIN & password secured locks
  • Biometric authentication systems
  • Data Storage Cryptography
  • Electromagnetic Shielding

Layer 2 - Data link layer

The Data Link Layer provides node-to-node data transfer (between two directly connected nodes), and also handles error correction from the physical layer. Two sublayers exist here as well - the Media Access Control (MAC) layer and the Logical Link Control (LLC) layer. In the networking world, most switches operate at Layer 2.


  • MAC Address Spoofing (station claims the identity of another)
  • VLAN circumvention (station may force direct communication with other stations,bypassing logical controls such as subnets and firewalls.)
  • Spanning Tree errors may be accidentally or purposefully introduced, causing the layer two environment to transmit packets in infinite loops.
  • In wireless media situations, layer two protocols may allow free connection to the network by unauthorized entities, or weak authentication and encryption may allow a false sense of security.
  • Switches may be forced to flood traffic to all VLAN ports rather than selectively forwarding to the appropriate ports, allowing interception of data by any device connected to a VLAN.

Link layer controls

  • MAC Address Filtering- Identifying stations by address and cross-referencing physical port or logical access
  • Do not use VLANs to enforce secure designs. Layers of trust should be physically isolated from one another, with policy engines such as firewalls between.
  • Wireless applications must be carefully evaluated for unauthorized access exposure. Built-in encryption, authentication, and MAC filtering may be applied to secure networks.

Layer 3 - Network layer

Here at the Network Layer is where you’ll find most of the router functionality that most networking professionals care about and love. In its most basic sense, this layer is responsible for packet forwarding, including routing through different routers. You might know that your Boston computer wants to connect to a server in California, but there are millions of different paths to take. Routers at this layer help do this efficiently.


  • Route spoofing - propagation of false network topology
  • IP Address Spoofing- false source addressing on malicious packets
  • Identity & Resource ID Vulnerability - Reliance on addressing to identify resources and peers can be brittle and vulnerable

Network layer controls

  • Route policy controls - Use strict anti-spoofing and route filters at network edges
  • Firewalls with strong filter & anti-spoof policy ARP/Broadcast monitoring software
  • Implementations that minimize the ability to abuse protocol features such as broadcast

Layer 4 - Transport layer

The Transport Layer deals with the coordination of the data transfer between end systems and hosts. How much data to send, at what rate, where it goes, etc. The best known example of the Transport Layer is the Transmission Control Protocol (TCP), which is built on top of the Internet Protocol (IP), commonly known as TCP/IP. TCP and UDP port numbers work at Layer 4, while IP addresses work at Layer 3, the Network Layer.


  • Mishandling of undefined, poorly defined, or “illegal” conditions
  • Differences in transport protocol implementation allow “fingerprinting’ and other enumeration of host information
  • Overloading of transport-layer mechanisms such as port numbers limit the ability to effectively filter and qualify traffic.
  • Transmission mechanisms can be subject to spoofing and attack based on crafted packets and the educated guessing of flow and transmission values, allowing the disruption or seizure of control of communications.

Transport layer controls

  • Strict firewall rules limiting access to specific transmission protocols and sub-protocol information such as TCP/UDP port number or ICMP type
  • Stateful inspection at firewall layer, preventing out-of-state packets, “illegal” flags,and other phony packet profiles from entering the perimeter
  • Stronger transmission and layer session identification mechanisms to prevent the attack and takeover of communications

Layer 5 - Session layer

When two devices, computers or servers need to “speak” with one another, a session needs to be created, and this is done at the Session Layer. Functions at this layer involve setup, coordination (how long should a system wait for a response, for example) and termination between the applications at each end of the session.


  • Weak or non-existent authentication mechanisms
  • Passing of session credentials such as user ID and password in the clear,allowing intercept and unauthorized use
  • Session identification may be subject to spoofing and hijack
  • Leakage of information based on failed authentication attempts
  • Unlimited failed sessions allow brute-force attacks on access credentials

Session layer controls

  • Encrypted password exchange and storage
  • Accounts have specific expirations for credentials and authorization
  • Protect session identification information via random/cryptographic means
  • Limit failed session attempts via timing mechanism, not lockout

Layer 6 - Presentation layer

The Presentation Layer represents the area that is independent of data representation at the application layer - in general, it represents the preparation or translation of application format to network format, or from network formatting to application format. In other words, the layer “presents” data for the application or the network. A good example of this is encryption and decryption of data for secure transmission - this happens at Layer 6.


  • Poor handling of unexpected input can lead to application crashes or surrender of control to execute arbitrary instructions.
  • Unintentional or ill-advised use of externally supplied input in control contexts may allow remote manipulation or information leakage.
  • Cryptographic flaws may be exploited to circumvent privacy protections

Presentation layer controls

  • Careful specification and checking of received input incoming into applications or library functions
  • Separation of user input and program control functions - input should be sanitized and sanity checked before being passed into functions that use the input to control operation
  • Careful and continuous review of cryptography solutions to ensure current security versus new and emerging threats

Layer 7 - Application layer

To further our bean dip analogy, the Application Layer is the one at the top - it’s what most users see. In the OSI model, this is the layer that is the “closest to the end user”. Applications that work at Layer 7 are the ones that users interact with directly. A web browser (Google Chrome, Firefox, Safari, etc.) or other app - Skype, Outlook, Office - are examples of Layer 7 applications.


  • Open design issues allow free use of application resources by unintended parties
  • Backdoors and application design flaws bypass standard security controls
  • Inadequate security controls force “all-or-nothing” approach, resulting in either excessive or insufficient access.
  • Overly complex application security controls tend to be bypassed or poorly understood and implemented. Program logic flaws may be accidentally or purposely used to crash programs or cause undesired behavior

Application layer controls

  • Application level access controls to define and enforce access to application resources. Controls must be detailed and flexible, but also straightforward to prevent complexity issues from masking policy and implementation weakness
  • Standards, testing, and review of application code and functionality - A baseline is used to measure application implementation and recommend improvements
  • IDS systems to monitor application inquiries and activity
  • Some host-based firewall systems can regulate traffic by application, preventing unauthorized or covert use of the network.

Layers 8 and 9 - People and Policy

  • Communicate to ensure people know safe practices.
  • Follow the principle of least privilege.
  • Apply good policy at all levels of the model, and educate people so they use software in compliance with said policy.

Ports cheat sheet

Layers 5-7 correspond to layer 5 (application) of TCP/IP model. All other layers are the same in both models.
Smiley face test image