The Open Systems Interconnection model is a 7-layer conceptual framework for network communication. Every protocol, attack, and security control maps to one of these layers.
Almost every CISSP network question maps to OSI layers. Firewalls, IDS/IPS, VPNs, SSL/TLS, ARP poisoning, DNS spoofing — all have a specific layer.
Protocols: HTTP, HTTPS, FTP, SMTP, DNS, SNMP, LDAP, SSH, Telnet. Attacks: phishing, SQL injection, XSS, DNS poisoning. Controls: WAF, application proxies, content filtering, TLS termination.
Translation, encryption, and compression. TLS/SSL encryption and decryption happens here. Often combined with Application layer in practice.
Establishes, manages, and terminates communication sessions. Protocols: NetBIOS, RPC, PPTP. Attacks: session hijacking.
End-to-end communication, segmentation, and flow control. TCP and UDP. Port numbers live here. Attacks: SYN flooding, port scanning. Controls: stateful firewalls, port-based ACLs.
Logical addressing and routing. IP addresses (IPv4/IPv6), ICMP, OSPF, BGP, IPsec. Attacks: IP spoofing, ICMP-based attacks. Controls: packet-filtering firewalls, IPsec tunnel mode.
Physical addressing (MAC addresses), framing, and local delivery. Protocols: Ethernet, Wi-Fi (802.11), ARP. Attacks: ARP poisoning, MAC flooding, VLAN hopping. Controls: 802.1X, dynamic ARP inspection.
Raw bits over a physical medium. Cables, hubs, repeaters. Attacks: physical wiretapping, TEMPEST, jamming. Controls: physical security, shielded cables.
OSI layers with protocols, attacks, and controls
| Layer | Name | Key Protocols | Attack Examples | Security Controls |
|---|---|---|---|---|
| 7 | Application | HTTP, DNS, SMTP, LDAP | SQLi, XSS, DNS poisoning | WAF, app proxy |
| 6 | Presentation | TLS/SSL, JPEG, ASCII | SSL stripping | TLS enforcement |
| 5 | Session | NetBIOS, RPC | Session hijacking | Session tokens, timeouts |
| 4 | Transport | TCP, UDP | SYN flood, port scan | Stateful firewall |
| 3 | Network | IP, ICMP, IPsec | IP spoofing, Smurf | Packet filter, IPsec |
| 2 | Data Link | Ethernet, ARP, 802.11 | ARP poison, MAC flood | 802.1X, DAI |
| 1 | Physical | Cables, hubs | Wiretap, jamming | Physical security |