This lesson presents material from chapter 2. Objectives
important to this lesson:
The ISO-OSI network reference model
Details about the seven layers
The text begins by referring to the ISO-OSI Reference Model by
only a portion of its name. Many people have been taught to call it the
Open Systems Interconnect model, which is correct, but it is only part of the
story. The ISO part is that it was created by the International
Organization for Standardization. Yes, I know that the three letter
acronym does not match the name. Maybe that's why some people stopped
mentioning it. Maybe some people were never taught it. Lucky you, I
have been doing this long enough that I know about it. At some point in
the past, this rather important organization decided just to call
itself ISO, which is the Greek prefix for "equal", which makes sense
for an organization that promotes standards.
This chapter is called a review, so it assumes you already
know this model. If that is so, we can cover most of it in less time.
(If that is not so, follow
this link to a more detailed discussion of the material. Yes,
really. You need to learn this sometime.)
The seven layers of the model are usually written in a list,
numbering the top as layer seven and the bottom
as layer one.
services and programs
translation across networks
setting up and ending connections
find other networks
wiring, bit transmission, sending and
receiving network signals
Several mnemonic sentences exist
to help us remember the proper order. I recommend "Please Do
Not Throw Sausage Pizza Away",
because this is in the correct numeric order (bottom to top, 1
to 7). If you want one that goes from top to bottom, try "All People
Studying This Need Drastic Psychotherapy".
On any certification test that covers this model, you MUST remember the
correct order, the correct numbers, and the correct details for each
In the chart above, I have given
each layer a different color. However, layers 1 and 2 are shades of green, layers 3 and 4 are shades of blue, and the upper three layers are related
shades of yellow and orange.
The reason is that layers 1 and 2 are typically related to hardware, layers 3 and 4 are related
to finding networks and
passing traffic across them,
and the upper three layers are related to the user and the applications being used by the
computer the user is operating. The text points out that the
distinction about layers 1 and 2 is less accurate when using virtual
devices, but there is actually still hardware involved someplace.
The processes that happen in each
layer communicate with the next layer. Which way is next, up or
down? It depends whether data is being passed out of the stack (down) or into it (up). Typically, a computer
generates a request starting at the top layer, and working down.
The request is passed across the network (probably to a server) and the
received request is passed up the layers. When a response is
generated, the process reverses. The path through the layers of a
response resembles the path followed by the original request. Let me explain
Imagine the following list of steps as a stack of protocols being used
to send a signal out onto the
As I prepare this signal to go, I start at the Application
layer, where the message is packaged
by Application layer rules, then passed down to the Presentation layer.
layer receives the message,
repackages it as
needed by its rules, keeping the information from the Application layer
inside the packets it makes,
then hands its packets off to the Session layer.
layer negotiates a connection with the next machine it needs to
send to, which it does while it takes the received Presentation packets
and repackages them as Session packets.
These are handed off to the Transport layer.
layer continues the pattern: it adds its magic, wraps it around
the received packets, and puts them all in its own message units called segments. The segments are handed
off to the Network layer.
layer continues: it does its thing, adds IP addresses for source and destination, rewraps the segments as
datagrams, and hands
them to the Data Link layer.
Link layer does not change what is in the datagrams, but it adds
MAC addresses for
source and destination. (Some real magic happens here. If the author
never gets to it, I will tell you later.) The datagrams are rewrapped
as frames, and they are pushed
to a network by processes on the Physical layer.
layer takes the frames, which are perceived as a stream of bits, moves them as needed to the
next device, again and again, until the stream is processed by a NIC on
a receiving machine, which may be the final destination or a router
along the way.
That's what happens, from layers 7
through 1, in the machine sending
a message. On the final destination
machine, the received message is processed through the layers from layers 1 through 7, until the
message is received by a program that knows what to do with it. That is
why there are IP packets inside the frames that the Network layer
opens. They were put there by the Network layer processes of the
sending machine. And this is why we usually
explain this process from the top down instead of from
the bottom up.
The ISO-OSI model gives us a framework for discussing what
happens on a network, and what happens at specific devices. So, we can
start explaining the model by telling you some of the things associated
with it. I will switch to another color scheme here, which will be used
in a chart farther down the page.
In the Physical
layer, we pick a communications medium,
which is usually UTP
(unshielded twisted pair) cable, because it is inexpensive, easy to
use, and it works well. A previous author mentioned hubs as hardware associated with
this layer. A hub can also be called a
concentrator, because it is where lots of wires come together
(concentrate). That author confused the description by saying that a
hub is like a telephone switchboard, which most
of you have probably never seen, but Wikipedia has decent pictures. A
hub is like a switchboard in that lots of wires from different devices
come together there. It is also NOT like a switchboard, in that any
signal sent into a hub will come out on ALL the other wires. On a
telephone switchboard, like those shown on Wikipedia, a telephone
operator determined what circuit you needed to be connected to, made
the connection, and your signal only went on that circuit. That's why
we don't use hubs any more: we use switches, which do what the operator
did. Switches do not live on this layer, because they do a lot more.
A lot of other topics are covered by the physical layer of the OSI
model. In the chart below, you can see that this layer has more topics
that any other. We will talk about them more as we go along.
A Network Interface Card
(NIC) can be used as a reason
to go to the Data-Link
layer. Network cable connects to the NIC, which connects a
computer to the network. NICs belong on the Data-Link layer because
they have addresses that are
hard coded (burned in) to them. This kind of address is also called a
physical address, but that does not
place the NIC on the Physical layer. A better name for the address is a
MAC address, because
the address is used for Media Access
Control, which has to do with how devices share the transmission
medium. Before we can make them share, we have to tell them apart, so
we use addresses. A MAC address is often written in one of two ways: as
twelve hexadecimal characters
with no breaks, or as six pairs
of hexadecimal characters with hyphens or colons between them. The
paired format is easier to read, and if you see a lot of them, it makes
it easier to notice that the first six characters in a MAC address
identify a manufacturer. (Large manufacturers have lots of six
character sequences assigned to them.)
Computers and NICs may send signals with electricity, light, or radio
waves. From there, we can turn to a new idea: frames. I already said that we break
signals into packets. Well, you should know that we also collect data
into usable clumps or clusters
and call them by different names on different layers. On the Data Link
layer, where NICs live, those clusters are called frames. Many frame
types have been created over the years. For any two devices on the same
network to communicate, they must send and receive frames of the same
type. (Devices that connect one network to another can translate frames
from one type to another.)
In most networks, every device
on a network can see every frame
that is transmitted on it. There are exceptions, especially when we
start breaking networks into subnets,
but in this simple example the statement is true. The point is that a
frame is usually addressed to a particular NIC, because frames use MAC addresses. (They hold the MAC
addresses of the sender and the receiver.) Because of this, only
the device whose MAC address matches
a frame will process that frame. There are two exceptions to this rule.
First, a frame sent to the broadcast
address (FF-FF-FF-FF-FF-FF) of
a network will be processed by all
devices. That address, by the way, is the broadcast address for frames
on any network, not just a particular one. In the second case, a
network admin may set the NIC on device to work in promiscuous mode, which means that
it processes all frames, which
is useful in monitoring activity on a network. An attacker may do the
same, but the monitoring is likely to have a less official purpose.
Regarding the broadcast MAC address, that address can be used to make a
general request to all devices on a system, asking them to respond with
their MAC addresses and some kind of device name. There are several
systems of naming. Your text mentions that the Address Resolution Protocol (ARP) can be used to request the MAC
address of a device whose IP address is known. Reverse Address Resolution Protocol (RARP) was used for the opposite
process on a given machine, and Inverse
Address Resolution Protocol (InARP)
is still used to request the IP address of a machine associated with a
known MAC address.
The Data Link layer used to be the only OSI layer
with sublayers. (Wireless networking has caused us to add sublayers to
the Physical layer as well.) The sublayers are the MAC sublayer (Media
Access Control) and the LLC sublayer (Logical Link Control). Your book
does not mention them. It does mention that flow control is important on this
layer, as it is on others. Flow control is meant to avoid situations in
which the flow of packets overwhelms the hardware and software of the
network, as happens in some Denial of Service attacks.
When the world was new and there were only four computers
that were about to be connected to what would become the Internet, the
kind of networking that only used layers 1 and 2 may have been enough.
As soon as it became a goal to connect
separate networks together, the ARPANET/Internet planners decided it
would be necessary to use a method that namednetworks as well as the devices on
them. Several methods of accomplishing this have been devised by
different vendors. The method that has become dominant is the one that is used on
the Internet, IP addressing.
In the section about the Network
layer, the author tells us that Internet
Protocol (IP) is used
for an addressing scheme that includes a reference to an individual device, and to the network it is on. IP lives on the Network layer, Layer 3. On an IP
network, each device (node) is known as a host, and
every host must have an address.
IP addresses, and any
addresses associated with the Network
layer, are logical addresses.
This means they are not permanently associated with a piece of hardware
like a MAC address and a NIC. A logical address is assigned to a device by an administrator, by a user, or by a network device assigned to do so. A standard
router used in a home is an example of a device that would assign an IP
address to any other device that is connected to one of its switch
ports. It does so because it acts like a switch (connecting devices to a
small network), like a router
(connecting your network to your Internet Service Provider's network),
and like a Dynamic Host Configuration
Protocol (DHCP) server,
which is a device or program that assigns IP addresses to devices on a
network. The DHCP service makes note of the MAC address of each device
it gives an IP address to, to make sure it does not give out the same
IP address to two currently connected devices. Giving the same address
to two devices would keep at least one of them from being able to use
the network. The text presents a small diagram of a network subdivided
into several logical subnets. In the graphic on page 26, the objects
that look like hot-cross hockey pucks represent routers. You will find
this shape and lots of others on this Cisco page.
4 is the Transport
layer. One of the processes of this layer is called segment
development. What that means is actually simple: large
messages that won't fit in one segment are broken down
and the pieces are placed in two or more segments.
Sometimes a message is very small, in which case the
segment it is placed into would not be full. Segments
are required to be full, so extra
bits are generated to be used as filler.
More importantly, the TCP protocol operates on the
Transport layer, which makes this layer associated with the word reliable.
If a packet is lost or received in a damaged state, a replacement copy
of the packet is requested. This is one aspect of reliable, guaranteed
Just to make things complicated, layer 4 is also where the User Datagram Protocol (UDP) lives. If TCP is like sending a registered letter to a recipient (we
know it is going to get there), UDP
is like sending a postcard
with our best guess at an address. UDP is quick and easy, but it may
not get the job done. TCP is sometimes called a connection-oriented service. UDP is
called a connectionless
service. Quick tip: If you
need to remember whether a protocol is connection-oriented or
connectionless, look at the first letter of the protocol name. If it is
a consonant, it is connection-oriented. If it is a vowel, it is connectionless. This is only true
for protocols for which we care about this concept.
5 is the Session
layer, which the text explains as being useful when any device
is doing more than one thing at a time on the network. Have you ever
had two browser windows open at once? When you click something in one
of those windows (or tabs), how does the computer know where to put the
response to that click? Each of those windows is assigned a different session
ID, which is used in any requests that are sent from it. This
assignment of session IDs takes place for other kinds of connections as
well, for any program that establishes a connection to a service (on
another machine) across a network.
6 is the Presentation
layer, which formats data into files that can be read and stored
by the applications on the current system. Files may be stored by
different methods on mainframes as opposed to PC or macOS based
servers, bytes can be sent across a wire most significant digit first
or last, and most importantly files can be encrypted. Encryption
services also live on the Presentation layer.
layer is layer
7, the top layer in the OSI model. The author makes the point
that this layer is about the network interfaces that exist so that
application programs can use network services, like file service, print
services, and message services.
A table appears on page 29 that maps commonly seen protocols
and applications to the layers of the OSI model. You should take a look
at it. As you use various protocols and applications, the table will
help put them in context.
The text switches to another network model, the TCP/IP
model, which is very similar to the Department of Defense (DoD)
model. That's the point, really. Once you understand the OSI model, you
understand the next one, too. You just need to know what the next model
calls things. In the chart at the end of this notes page, I have
included a column for the TCP/IP model layers, and another for the OSI
layers. The topics and methods for the two models are the same.
TCP/IP Layer name
OSI Layer name
Topics & Methods
Service Advertisement - how services become known
Service Use - how services are obtained
Data cluster type: Messages
Translation - bit translation, byte translation,
character code translation, file translation
Encryption - cipher, private key, or public key
Data cluster type: Packets
Dialog Control - simplex, half-duplex and duplex
Session Administration - connection establishment,
data transfer, and connection release
Data cluster type: Packets
Segment Development - breaking large messages into
combining small messages into segments
Data cluster type: Segments
Addressing - network addresses. 2 methods:
Switching - route creation for packets, messages and
circuits. 3 methods:
Route Discovery - finding a route. 2 methods:
Route Selection - choosing a route. 2 methods:
Connection Services - flow control, error control and
packet sequence control. 3 methods:
Network-layer flow control
Packet sequence control
Data cluster type: Datagrams
Logical Topology - 2 methods:
Media Access - 3 methods:
Addressing - 1 method:
Physical Device Address - the MAC address
Transmission Synchronization - 3 methods:
Connection Services - 3 methods:
Data cluster type: Frames
Connection Type - 2 methods:
Physical Topology - 5 methods:
Digital Signaling - 2 methods:
Analog Signaling - 2 methods:
Bit Synchronization - 2 methods:
Bandwidth Usage - 2 methods:
Multiplexing - 3 methods:
Statistical Time Division
No data clusters, just bits
On page 32, the text mentions the use of ARP as an
attack venue. On networks in which it is still used by devices to learn
the MAC addresses of devices from their IPv4 addresses, requests for
such addresses can be answered by attackers who want to impersonate the
real owners of those addresses. The text tells us that ARP requests
have been replaced by Neighbor Discovery Protocol (NDP),
which we are told is more secure, but we are also told that it sends ICMP
messages in clear text, which are open to interception and
Page 33 lists several attacks that can be associated with OSI
Layer 1 and Layer 4.
Spoofing MAC addresses - As noted above, an attacker
can send signals marked with the MAC address of a known network device.
The text points out that this can be useful in wired and wireless
networks. The text does not mention that signals sent inside a network,
that do not have to pass across routers, may only have to rely on
Defeating/Poisoning MAC address resolution - Any
device on a network that sees ARP information will update its tables
with that information, despite its being sent by an attacker.
Wiretapping - This once meant the interception of
telephone or telegraph signals, but it has been extended to include
network signals as well. It includes interception of wireless signals,
as well as those passing across a wired network. This can lead to
interception and falsification, or it may only be eavesdropping and
The text makes it clear that eavesdropping involves
only the unauthorized capture of signals. It does not elaborate on the
idea that interception is the same thing, but it may include modification
or replacement of the data in the signals.
Still on page 33, the text makes some observations about
attempts to make a network less vulnerable to these attacks:
Use fiber optic cable
- Of the various cable types,
this is the most secure. It does not radiate signals, and it is
difficult to cut a line with the intention of placing an undetectable
monitor or a false host on the network. This is obviously a Layer 1
remedy. The recommendation is real, but is probably not practical. Most
networks are wired with UTP because it is cheap and it works well.
Security is not usually the concern of the network planner.
WEP, WPA, and WPA2 - The text wastes a little space
recommending the first two, since they have both been hacked, and have
been superseded by WPA2. One day, before long, we will need whatever
comes next. For the moment, WPA2 is a standard on wireless networks.
Perhaps we can say that all security is like glory.
Point-to-Point Tunneling Protocol (PPTP) - An
improvement over PPP or SLP, PPTP provides encryption of traffic.
Challenge Handshake Authentication Protocol (CHAP)
- An authentication protocol that providdes encryption. (See a pattern
The text moves on to the OSI
Network layer, which is its layer 3. (The TCP/IP model calls it
the Internet layer, which is its layer 2. I know it's confusing. I made
you a chart.) The device that stands for this layer is the router, because that is the device
that connects networks to each other. The text offers some quick
features of routers:
Routers don't forward broadcast packets - Usually. Assume
you have three networks at your site, linked by a router or two. Now
assume you have only one DHCP server. A DHCP request is a broadcast
request, and in this case it needs to be forwarded to the network where
the DHCP server lives. Sometimes it is good to forward some broadcast
Routers do forward multicast packets.
Routers can make routing decisions for each packet
depending on current conditions.
Routers have latency. They receive packets, examine them,
then decide what to do with them. This causes delay, but provides a
The text offers a summary of routing methods, explaining why
the older Distance Vector
method protocols like Routing
Information Protocol (RIP
and RIPv2) have been replaced
by protocols that
use the Link State method,
such as Open
Shortest Path First (OSPF)
protocol. (Mnemonic: Distance Vector = Darth Vader = Bad. Link State =
Luke Skywalker = Good.)
Well, in some cases, Distance Vector was good. It just wasn't
up to routes that need more than 15 hops. (On a route, a hop is when
the packet crosses a router to go to another network. Luke hopped a lot
more than Darth Vader could.) The Internet presents a need for an
almost unlimited number of hops.
The text discusses the basics of IPv4 addresses and subnet
masks. Remember that a subnet mask tells us (and tells network devices)
which parts of an address are network identification bits, and which
parts are host identification bits. The text describes IPv6 addresses,
but does not give us any examples. We are told that we need to use IPv6
addresses because there are not enough version 4 addresses for all the
devices in the world already. This is so, but IPv4 continues to be
used, thanks to Network Address
The text discusses the use of Internet
Control Message Protocol (ICMP),
which is most commonly used to ping another system, verifying that it
is active and reachable. At least, it is useful for that when ping
responses have not been disabled on the target device. Disabling
responses to pings prevents an attacker from gathering information from
them. It is more likely that an attacker who has gained access to your
network will be using a sniffer, as discussed on page 38. Note that we
can do this ourselves, with permission, by first installing a program
to enable promiscuous mode on
your NIC (the ability to capture all packets passing by), and second,
by installing and running a packet sniffer program. The text mentions
Wireshark, but there are others. The text also mentions that you enable
promiscuous mode by a
different method on different operating systems.
The text turns to controls that relate to this network layer:
IPSecurity (IPSec) - The text tells us to use
it, but does
not explain what it does very well. Take a look at this video for a
good discussion with good graphics. Thanks, Keith. (As usual, you might
want to speed up the player if you are familiar with the process.)
Packet filters -
This is explained oddly in the text. What he is talking about are firewall rules, typically on a Cisco
router. I wish people would call them that, so there would be less
confusion with permission filters on AD objects, which are also called
access control lists. Cisco calls their lists of rules "access control
lists", but the command that uses them says "access-list", so that
would be a better, more accurate term. Take a look at this recent Cisco
page about filtering IP packets
for short lesson in syntax. If that doesn't do it for you, here is an ancient
lesson (2008) I taught in Advanced Routers and Routing.
Network Address Translation
(NAT) - I mentioned this in the
notes above. The text hints that we can do anything we want to do on
our own networks, such as using private addressing schemes. A popular
approach is using IPv4 addresses that start with a 10, then subnetting
as needed. That is very flexible, and it allows Internet access if you
use NAT when you send packets to your ISP. The text mentions that NAT
is not necessary for IPv6 addressing schemes.
The author has been calling layers by their OSI names, but the
next section calls the next layer the Host-to-Host
layer, which is the TCP/IP model
name for what the OSI model
calls layer 4, the Transport layer.
It is known for the reliable, guaranteed delivery service of TCP which is based in this layer.
This layer, as I have already mentioned, is also home to UDP, which is not unreliable, but it
is connectionless and is not guaranteed. The text tells us
that UDP is "optimized for applications that require fast delivery and
are not sensitive to packet loss", which puzzles me. What services are
not sensitive to packet loss? The text mentions DNS service, but that
seems as reliant on good packet delivery as anything else.
Three threats are listed for this layer:
Port scanning -
Ports are numbered service addresses. A
port scanner attempts to contact them, one by one, to determine which
ports are responsive on a server.
Session hijack -
This is like a man-in-the-middle attack,
except that the attacker simply takes over a session established by a
real user. TCP services do not typically require reauthentication
during a session, which makes this possible.
SYN attack - The
text explains how TCP connection sessions
are begun. Let's take a minute and review a bit more than we are
offered in the book.
A session begins with a TCP three-way
handshake. Note that only two
participants are involved.
The requester sends a synchronize
(SYN) packet to a server.
The server responds with a synchronization
acknowledgment (SYN ACK)
The requester sends an acknowledgment
(ACK) packet, confirming the
The text does not describe terminating
the TCP session, which could be initiated by either party in the session.
The device requesting to end the session sends a
saying I'm finished, please acknowledge (FIN ACK).
The second device sends an acknowledge
The second device then sends a packet like the first
saying I'm finished, please acknowledge (FIN ACK).
The first device sends an acknowledge
(ACK) packet. This closes the
session on both ends.
The text does not mention that this process can vary. In this
discussion on the wireshark site, it is noted that a web browser
might send a connection reset
packet (RST) if there is no graceful closure
dialog completion. Graceful, in IT, typically means that something is being
done formally, methodically, and with every party in the transaction
aware and acknowledging what is happening. This introduces a new
problem, that the connection could be hijacked by an interception of
the second FIN ACK (assuming it came from the server), and an
impersonation of the original client by the hacker.
Why do you need to know all this? To understand that sending a
continuous stream of SYN requests from multiple devices is an attack.
It will cause the victim device to consume all its resources for
connections, causing it to be unable to do its job.
The text offers some controls relating to its proposed threats:
Secure Sockets Layer (SSL)
- a security protocol that is often seenn on commercial web pages. The
text mentions that it can be used with other protocols as well, such as
FTP and Telnet.
Transport Layer Security (TLS) - An improvement over SSL, it can be used instead of SSL for better security.
The text concludes the chapter with a discussion about the Application layer, which is a TCP/IP model name for what the OSI model calls its three upper layers: the Session layer (5), the Presentation layer (6), and the Application layer (7).
The text presents a selection of services on page 43 that can be associated with specific ports and protocols. We are told that not all services are likely targets for attack, but the advice offered is to deny
all packets from the Internet (or suspect networks), allowing only
traffic to services and ports we intend to make available to specific
kinds of traffic.The text calls this a deny-all principle. It is also called an implicit deny approach, denying everything that is not specifically allowed by one of our rules.
The text presents a short list of services and protocols that may have security issues:
The text presents a list of some of the threats that apply to this layer (or group of layers), but they all fall into two categories:
Denial of Service attacks
Controls suggested by the text for this section of the network:
Malware scanners - This is obvious: get some protection!
SSH - This was proposed in another layer.
Pretty Good Privacy (PGP) - The text is really suggesting using a Public Key encryption scheme.
Secure/Multipurpose Internet Mail Extension - A secure version of the MIME extension for email.
This week you need to complete Assignment 1 and Part 1 of an ongoing
course project. Both of these are due in one week.