Home β€Ί D4: Network Security β€Ί OSI Model & Network Security Fundamentals
Domain 4 Β· Lesson 1 of 6

OSI Model & Network Security Fundamentals

Mô hình OSI & Bảo mật Mẑng

OSI 7-Layer Model β€” Security Mapping

Every network attack targets a specific OSI layer. Every security control operates at a specific layer. The exam tests whether you can match attacks and controls to the correct layer.

Layer Name Key Protocols Attack Types Controls
L1 Physical Cables, fiber, hubs Wiretapping, eavesdropping, physical tampering Cable shielding, physical access controls, locked comms rooms
L2 Data Link Ethernet, ARP, 802.11, VLANs ARP poisoning, MAC spoofing, VLAN hopping, MAC flooding 802.1X, DAI (Dynamic ARP Inspection), port security, VLAN segmentation
L3 Network IP, ICMP, routing protocols IP spoofing, Smurf attack, routing hijack, ICMP flood Firewalls, ACLs, anti-spoofing filters, BCP38 ingress filtering
L4 Transport TCP, UDP SYN flood, port scanning, session hijacking, UDP flood Stateful firewalls, SYN cookies, rate limiting, port filtering
L5 Session NetBIOS, RPC, SQL sessions Session fixation, session replay TLS session handling, secure session tokens, timeouts
L6 Presentation TLS/SSL, MIME, encoding formats SSL stripping, encoding attacks, malformed data Enforce HTTPS + HSTS, TLS 1.3, certificate validation
L7 Application HTTP, SMTP, DNS, FTP, SNMP SQLi, XSS, CSRF, phishing, SSRF, DNS poisoning, API abuse WAF, input validation, OWASP controls, application firewalls

Memory aid: Please Do Not Throw Sausage Pizza Away (Physical β†’ Data Link β†’ Network β†’ Transport β†’ Session β†’ Presentation β†’ Application)

TCP/IP 4-Layer Model vs OSI

The TCP/IP model is what's actually implemented in real networks. The OSI model is the conceptual reference used by security certifications.

TCP/IP Layer Equivalent OSI Layers Key Protocols
Application L5 Session + L6 Presentation + L7 Application HTTP, SMTP, DNS, SSH, FTP, TLS
Transport L4 Transport TCP, UDP
Internet L3 Network IP, ICMP, ARP (sometimes), routing
Network Access (Link) L1 Physical + L2 Data Link Ethernet, Wi-Fi, fiber, MAC addressing

Network Topology Security

Mesh Topology
Most resilient β€” multiple paths; no single point of failure. Used for critical infrastructure and internet backbone routing.
Star Topology
Central switch/hub is a single point of failure. Most common in office LANs. If the switch fails, all connected devices lose connectivity.
Bus Topology
All devices share a single cable. Legacy (10BASE-2 Ethernet). Single cable break = full network failure. Not used in modern networks.

Key Terms

OSI Model

7-layer conceptual framework for network communication. Each layer has defined protocols and security responsibilities.

TCP/IP Model

4-layer practical implementation of network protocols used in real internet communication.

ARP Poisoning

Layer 2 attack β€” attacker sends fake ARP replies to associate their MAC with a legitimate IP, enabling MITM attacks on LAN.

VLAN Hopping

Layer 2 attack β€” attacker escapes their VLAN to access traffic on another VLAN via double-tagging or DTP exploitation.

SYN Flood

Layer 4 DoS β€” attacker sends massive TCP SYN packets without completing handshakes, exhausting server connection table.

IP Spoofing

Layer 3 attack β€” attacker sends packets with forged source IP address to impersonate another host or bypass IP-based controls.

SSL Stripping

Layer 6/7 MITM attack β€” intercepts HTTPS redirect and serves HTTP to the client, downgrading encrypted connection to plaintext.

WAF

Web Application Firewall β€” Layer 7 control that inspects HTTP content to block SQLi, XSS, CSRF, and other application attacks.

DAI (Dynamic ARP Inspection)

Layer 2 control on managed switches β€” validates ARP packets against DHCP binding table, dropping spoofed ARP replies.

Port Security

Layer 2 switch feature β€” limits the number of MAC addresses allowed on a port, preventing MAC flooding and unauthorized devices.

Exam Tips β€” OSI Layer Mapping
  1. WAF = Layer 7 β€” inspects HTTP content (URL, headers, body). CloudFlare WAF, AWS WAF, ModSecurity all operate at Application layer.
  2. Stateful firewall = Layer 4 β€” tracks TCP connection state (SYN, SYN-ACK, ACK). Does not inspect content above Layer 4.
  3. ARP operates at Layer 2 (Data Link) β€” ARP poisoning is a Layer 2 attack; DAI is the Layer 2 mitigation. ARP is not routable (stays within a broadcast domain).
  4. TLS operates at Layer 5/6 (Session/Presentation) β€” TLS negotiates sessions and encrypts/decrypts data at Presentation layer.
  5. SSL stripping = downgrade HTTPS to HTTP β€” mitigated by HSTS (HTTP Strict Transport Security), which tells the browser to always use HTTPS regardless of redirect.
FinTech Company X / Platform C Application

Map Platform C's attack surface to OSI layers:

  • L7 β€” CloudFlare WAF: Blocks SQLi, XSS, OWASP Top 10 before requests reach GCP. Application-layer control on all Partner C (PH) and Platform C public endpoints.
  • L4 β€” Rate limiting on public endpoints: SYN flood protection and OTP brute-force prevention (5 attempts/hr per phone number) operate at Transport layer.
  • L3 β€” Kubernetes NetworkPolicies: GCP VPC firewall rules and K8s NetworkPolicies function as Layer 3 ACLs between namespaces and between the payment cluster and other services.
  • L2 β€” GCP VPC managed: GCP handles the underlying network layer for GKE nodes. However, verify no ARP-based attacks are possible in GKE pod networking β€” GCP uses software-defined networking that prevents ARP spoofing within the VPC, but validate this assumption for any on-prem or hybrid nodes.

Gap: No explicit Layer 2 control visible in Platform C internal K8s pod-to-pod. GCP VPC handles this, but document the assumption and verify GKE network plugin (Dataplane V2 / Calico) enforces it.

Practice Quiz β€” OSI Model

Q1. A Web Application Firewall (WAF) operates at which OSI layer?

A. Layer 3 β€” Network
B. Layer 4 β€” Transport
C. Layer 7 β€” Application βœ“
D. Layer 2 β€” Data Link
A WAF inspects HTTP/HTTPS request content (URLs, headers, POST body) β€” content that only exists at Layer 7. It can identify application-specific attacks like SQLi and XSS that lower-layer firewalls cannot see.

Q2. A SYN flood attack exploits which OSI layer?

A. Layer 7 β€” Application
B. Layer 3 β€” Network
C. Layer 4 β€” Transport βœ“
D. Layer 2 β€” Data Link
SYN flood exploits the TCP three-way handshake β€” a Layer 4 (Transport) mechanism. Attackers send SYN packets without completing ACK, filling the server's connection state table. SYN cookies at Layer 4 are the mitigation.

Q3. ARP poisoning is an attack at which OSI layer?

A. Layer 1 β€” Physical
B. Layer 2 β€” Data Link βœ“
C. Layer 3 β€” Network
D. Layer 4 β€” Transport
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses β€” a Layer 2 function. ARP operates only within a broadcast domain (LAN segment) and is not routable. Dynamic ARP Inspection (DAI) on managed switches is the Layer 2 mitigation.

Q4. SSL stripping is best mitigated by which control?

A. Stateful firewall with deep packet inspection
B. HSTS (HTTP Strict Transport Security) βœ“
C. WPA3 enterprise wireless
D. IPSec ESP tunnel mode
HSTS tells the browser to always connect via HTTPS for a specified period (max-age). This prevents SSL stripping because the browser will refuse to send an HTTP request even if an attacker intercepts the redirect. HSTS preloading further prevents first-visit attacks.

Q5. A stateful firewall primarily operates at which OSI layer?

A. Layer 2 β€” Data Link
B. Layer 3 β€” Network
C. Layer 4 β€” Transport βœ“
D. Layer 7 β€” Application
A stateful firewall tracks the state of TCP connections (SYN, SYN-ACK, ACK, established, closed). This state tracking is a Layer 4 function. It goes beyond simple packet filtering (Layer 3 only) but does not inspect application content (that's Layer 7 / NGFW / WAF).
← D4 Overview Lesson 02: Firewalls & IDS/IPS β†’