Using the OSI Model to Understand Cybersecurity Threats, Part One
Jeffrey Edwards
|Cyber Risks & Threats | April 27, 2023
Since the beginning of computer networks, network users, administrators, and engineers have needed an effective way to allow diverse networks to communicate and seamlessly exchange information. Enter the OSI Model.
Widely adopted in the early 1980s, The Open Systems Interconnection (OSI) Model is a conceptual framework that aimed to standardize the functions of a telecommunications or computing system, allowing diverse systems to communicate and exchange information.
To achieve this, the OSI model broke computer networks out into seven layers, each of which is in charge of a distinct set of responsibilities within the broader communication process.
While the OSI model was eventually surpassed by the simpler TCP/IP model, which is the basis of the modern internet, it is still widely used as an effective tool for visualizing and communicating how networks work and is a particularly valuable tool for identifying and troubleshooting network issues and vulnerabilities.
In this series, we’ll explain what the OSI model is, what the seven layers of the OSI model are, and how those layers relate to various network threats and vulnerabilities. This post will cover layers 1-3: the physical layer, the data-link layer, and the network layer.
What Is the OSI Model and Why Is It Important?
The OSI Model, developed in the late 1970s by the International Organization for Standardization (ISO), divides complicated networking ideas into seven layers. Each layer handles a specific element of data transfer, facilitating interchange between various hardware and software components. The model provides a common vocabulary and framework for networking experts, allowing them to detect possible vulnerabilities and build effective security solutions. By breaking down the communication process into distinct layers, network administrators can isolate issues and apply targeted fixes without disrupting the entire network.
The Layers 1-3 of the OSI Model and Their Vulnerabilities
The first three layers of the OSI model – Physical, Data Link, and Network – are primarily responsible for managing the physical and logical transmission and routing of data, rather than managing the actual data being transmitted and the services provided by the network. The vulnerabilities of these first three layers include physical attacks such as cutting or tapping cables, as well as attacks that target the logical addressing and routing of data, such as ARP spoofing and DoS attacks.
OSI Layer One: The Physical Layer
The Physical Layer is the foundation of the OSI Model and its first layer. As the name implies, the physical layer represents the physical infrastructure responsible for transmitting information, such as copper wires, fiber optic cables, or wireless radio frequencies. This layer deals with the physical connectivity of devices, including the specifications for cables, connectors, and network interfaces. Consequently, the integrity of the Physical Layer is vital for ensuring reliable data transmission and communication between devices in a network. Due to its nature, the physical layer is not so much vulnerable to cyberattacks as it is to actual physical sabotage and interference. Vulnerabilities at this level not only include malicious threats such as physical tampering and eavesdropping, but also natural or environmental threats such as temperature, humidity, and even electrical interference from other equipment.
Securing the physical layer is primarily reliant on–you guessed it–physical security. Networking equipment should be kept in secure locations with limited and closely monitored physical access, and network devices should be monitored constantly, with alerts for unusual activity or unexpected downtime. The physical environment should also be closely monitored and controlled, and most data centers are climate controlled for temperature and humidity levels.
OSI Layer Two: The Data Link Layer
The OSI model’s second layer, the Data Link Layer, is made up of protocols that ensure reliable data transmission between directly connected nodes on a network. These protocols establish, maintain, and terminate connections, and handle error correction and flow control. The Data Link Layer plays a pivotal role in maintaining the integrity of communication between adjacent network nodes. By organizing data into manageable units called frames, this layer significantly contributes to the stability and efficiency of network connections, making it a critical target for potential cyber threats. Vulnerabilities at this level are often related to unauthorized access, data manipulation, or interception, and typically involve manipulation of network protocols or communication devices such as switches.
Common layer two attacks include:
- Media Access Control (MAC) Spoofing attacks, in which attackers modify the MAC address of their device to mimic that of an authorized user and gain access to the network.
- Address Resolution Protocol (ARP) Spoofing or poisoning attacks, in which attackers modify the ARP tables on a network, redirecting network traffic to their own devices or stealing data.
- STP (Spanning Tree Protocol) spoofing attacks in which attackers send falsified data to a switch on a network, pretending to be a root bridge or causing the switch to believe that it has lost its connection to the root bridge. This can cause the switch to reconfigure the network topology, resulting in a DoS (Denial-of-Service) attack or allowing the attacker to gain unauthorized access to the network. STP spoofing attacks are a type of MAC (Media Access Control) address spoofing attack that can be prevented by implementing best practices and network security measures.
These threats can pose serious risks to network security, and it is important to implement proper measures to prevent and detect attacks. One key strategy is to use network segmentation, which involves dividing the network into smaller segments to limit the impact of a potential attack and make it easier to detect and isolate attacks.
Access controls such as MAC address filtering and port security should also be leveraged to limit network access and prevent unauthorized devices from connecting. Additionally, monitoring network traffic for unusual behavior, such as an increase in broadcast or multicast traffic, can help to detect potential attacks before they can cause significant damage.
OSI Layer Three: The Network Layer
The third layer of the OSI Model is the Network Layer, which is responsible for routing data between different sections of a network, or for routing data between different networks. The primary role of the Network Layer lies in determining the most efficient paths for data transmission in order to ensure optimal network performance.
To do this, the network layer performs three primary functions: First, it assigns addresses (such as IP addresses) to devices on the network, which allows them to be uniquely identified and located. Next, it determines the best path for data to travel between different networks, using routing protocols such as Border Gateway Protocol (BGP) or Open Shortest Path First (OSPF). And finally, the Network layer forwards data packets from one network to another using routers or layer 3 switches.
In a sense, the network layer is the glue that holds the entire network together. Consequently, securing this layer against attacks is critical for ensuring the overall security and reliability of a network.
If an attacker gains unauthorized access to the Network layer, they may be able to intercept or modify network traffic, steal sensitive information, and even cause network disruptions or outages.
Common threats to the Network Layer include:
- IP Spoofing Attacks, in which an attacker sends a packet with a forged IP address from a trusted source in order to bypass access controls or launch attacks against other devices on the network.
- Denial-of-Service (DoS) Attacks, in which attackers flood a network with junk traffic or requests in order to overwhelm network resources and ultimately cause downtime. These attacks are often used as a distraction from further malicious action.
- Routing Attacks, in which an attacker manipulates routing protocols to direct network traffic to unauthorized destinations or disrupt network communication.
- Man-in-the-Middle (MitM) Attacks, in which an attacker intercepts and potentially modifies network traffic between two devices, in order to eavesdrop on sensitive information or inject malicious code into the network.
To protect this crucial layer, organizations should implement access controls, such as firewalls and intrusion prevention systems, as well as encryption to protect sensitive data as it travels over the network.
Ingress and egress filtering, which involves monitoring and controlling traffic entering and leaving the network, can help to prevent unauthorized traffic and alert you to potential attacks before they happen. Access Control Lists (ACLs) can also be used to filter traffic based on specific criteria, such as source and destination IP addresses, port numbers, and protocols.
Secure routing protocols, such as BGP with authentication mechanisms, will also help prevent unauthorized routing updates and ensure that routing information is accurate and trustworthy.
In the next installment of this series, we’ll discuss layers 4-7 of the OSI model: the transport, session, presentation, and application layers.