OSI Model and Network Layers

OSI Model and Network Layers – Complete Guide for ISC2 CC Exam

Why is the OSI Model Important?

The Open Systems Interconnection (OSI) model is one of the most foundational concepts in network security and is critical for the ISC2 Certified in Cybersecurity (CC) exam. Understanding the OSI model is important because:

• It provides a universal framework for understanding how data travels across a network.
• It helps security professionals identify where vulnerabilities exist and where security controls should be applied.
• It enables clear communication between IT and security teams by providing a common language for discussing network operations.
• It helps in troubleshooting network issues by isolating problems to a specific layer.
• Many security tools, firewalls, and intrusion detection systems operate at specific OSI layers, so understanding the model helps you choose and configure the right defenses.

What is the OSI Model?

The OSI model is a conceptual framework developed by the International Organization for Standardization (ISO) in 1984. It divides network communication into seven distinct layers, each with specific functions. Data flows down through the layers on the sending side and back up through the layers on the receiving side.

The seven layers, from top to bottom, are:

Layer 7 – Application Layer
This is the layer closest to the end user. It provides the interface between the user's application and the network. It includes protocols and services that applications use to communicate over the network.
• Protocols: HTTP, HTTPS, FTP, SMTP, DNS, SNMP, Telnet, SSH
• Security relevance: Application-layer firewalls, web application firewalls (WAFs), input validation, anti-malware, content filtering
• Attacks at this layer: Phishing, SQL injection, cross-site scripting (XSS), buffer overflows

Layer 6 – Presentation Layer
This layer is responsible for data translation, encryption, and compression. It ensures that data sent by one system can be read by another by converting data formats.
• Functions: Data encryption/decryption (SSL/TLS), data formatting (JPEG, ASCII, EBCDIC), data compression
• Security relevance: Encryption protocols like TLS operate here, protecting data confidentiality
• Attacks at this layer: SSL stripping, improper encryption implementation

Layer 5 – Session Layer
This layer manages sessions (connections) between applications. It establishes, maintains, and terminates communication sessions.
• Functions: Session establishment, maintenance, termination, synchronization, dialog control
• Protocols: NetBIOS, RPC (Remote Procedure Call), PPTP
• Security relevance: Session hijacking prevention, proper session management, authentication
• Attacks at this layer: Session hijacking, session fixation

Layer 4 – Transport Layer
This layer ensures reliable end-to-end data delivery. It segments data, manages flow control, and provides error checking.
• Protocols: TCP (Transmission Control Protocol – connection-oriented, reliable), UDP (User Datagram Protocol – connectionless, faster but less reliable)
• Key concepts: Port numbers, segmentation, flow control, error recovery
• Security relevance: Stateful firewalls operate here, port scanning detection
• Attacks at this layer: SYN flood attacks, port scanning, TCP session hijacking

Layer 3 – Network Layer
This layer handles logical addressing and routing. It determines the best path for data to travel from source to destination across networks.
• Protocols: IP (IPv4, IPv6), ICMP, IGMP, IPSec
• Devices: Routers, Layer 3 switches
• Key concepts: IP addresses, routing tables, subnetting, packet forwarding
• Security relevance: Packet-filtering firewalls, IPSec VPNs, access control lists (ACLs) on routers
• Attacks at this layer: IP spoofing, routing attacks, ping of death, smurf attacks

Layer 2 – Data Link Layer
This layer is responsible for node-to-node data transfer on the local network. It frames data for transmission and handles physical addressing (MAC addresses).
• Sub-layers: LLC (Logical Link Control) and MAC (Media Access Control)
• Protocols: Ethernet, Wi-Fi (802.11), PPP, ARP
• Devices: Switches, bridges, network interface cards (NICs)
• Key concepts: MAC addresses, frames, VLANs
• Security relevance: Port security, MAC filtering, 802.1X authentication, VLAN segmentation
• Attacks at this layer: ARP spoofing/poisoning, MAC flooding, VLAN hopping

Layer 1 – Physical Layer
This is the lowest layer, dealing with the physical transmission of raw data bits over a communication channel.
• Components: Cables (copper, fiber optic), hubs, repeaters, connectors, network interface hardware
• Key concepts: Voltage levels, data rates, physical connectors, signal encoding
• Security relevance: Physical access controls, cable shielding, electromagnetic interference (EMI) protection, preventing wiretapping
• Attacks at this layer: Wiretapping, cable cutting, jamming, physical theft

How Does the OSI Model Work?

When data is sent from one device to another:

1. Encapsulation (Sending Side): Data travels down from Layer 7 to Layer 1. At each layer, a header (and sometimes a trailer) is added to the data. This process is called encapsulation.
• Layer 7-5: Data
• Layer 4: Segments (TCP) or Datagrams (UDP)
• Layer 3: Packets
• Layer 2: Frames
• Layer 1: Bits

2. Transmission: The bits are transmitted over the physical medium (cable, wireless, etc.).

3. De-encapsulation (Receiving Side): Data travels up from Layer 1 to Layer 7. At each layer, the corresponding header is stripped off and the data is passed to the next higher layer.

Mnemonic to Remember the Layers:

From Layer 7 to Layer 1: All People Seem To Need Data Processing
(Application, Presentation, Session, Transport, Network, Data Link, Physical)

From Layer 1 to Layer 7: Please Do Not Throw Sausage Pizza Away
(Physical, Data Link, Network, Transport, Session, Presentation, Application)

OSI Model vs. TCP/IP Model

The TCP/IP model is a more practical, four-layer model used in real-world networking:
• Application Layer (combines OSI Layers 5, 6, 7)
• Transport Layer (OSI Layer 4)
• Internet Layer (OSI Layer 3)
• Network Access/Link Layer (combines OSI Layers 1, 2)

For the CC exam, you should understand both models and be able to map between them.

Security Controls at Each Layer – Summary Table

• Layer 7 (Application): WAFs, content filtering, anti-malware, application whitelisting
• Layer 6 (Presentation): TLS/SSL encryption, data loss prevention
• Layer 5 (Session): Session timeout policies, authentication mechanisms
• Layer 4 (Transport): Stateful firewalls, port blocking, TLS
• Layer 3 (Network): Packet-filtering firewalls, IPSec VPNs, routers with ACLs
• Layer 2 (Data Link): VLANs, 802.1X, MAC filtering, switch port security
• Layer 1 (Physical): Physical security controls, cable management, locked server rooms

---

Exam Tips: Answering Questions on OSI Model and Network Layers

1. Know the layers and their order.
This is non-negotiable. You must be able to identify each layer by its number and name instantly. Use the mnemonics above to commit them to memory.

2. Understand what each layer does – focus on the function, not just the name.
Exam questions will often describe a function and ask which layer it belongs to. For example: "Which layer is responsible for logical addressing and routing?" – The answer is Layer 3 (Network).

3. Know which protocols and devices belong to which layer.
A very common question type is associating protocols (like TCP, IP, HTTP) or devices (like routers, switches, hubs) with the correct OSI layer. Remember:
• Routers = Layer 3
• Switches = Layer 2
• Hubs/Repeaters = Layer 1
• Firewalls can operate at Layers 3, 4, or 7 depending on type

4. Understand the data unit names at each layer.
Questions may ask what data is called at a specific layer:
• Layers 5-7: Data
• Layer 4: Segments (TCP) / Datagrams (UDP)
• Layer 3: Packets
• Layer 2: Frames
• Layer 1: Bits

5. Understand encapsulation and de-encapsulation.
Know that data moves down the stack with headers added (encapsulation) and moves up the stack with headers removed (de-encapsulation).

6. Focus on security implications at each layer.
The CC exam is a security certification, so expect questions that tie the OSI model to security. Know which attacks target which layers and which security controls protect at each layer.

7. Know the difference between TCP and UDP.
This is a heavily tested topic:
• TCP = connection-oriented, reliable, uses three-way handshake (SYN, SYN-ACK, ACK)
• UDP = connectionless, faster, no guaranteed delivery
• Both operate at Layer 4

8. Be able to map OSI layers to the TCP/IP model.
Some questions may reference the TCP/IP model, so understanding the mapping between the two models is important.

9. Use the process of elimination.
If a question describes a scenario and you are unsure of the exact layer, eliminate the layers you know are incorrect. For example, if the question involves IP addresses, it cannot be Layer 1 or Layer 2 – it must be Layer 3.

10. Watch for keyword triggers in questions.
Certain keywords immediately point to specific layers:
• MAC address, frame, switch → Layer 2
• IP address, router, packet, routing → Layer 3
• Port number, TCP, UDP, segment → Layer 4
• Encryption, formatting, compression → Layer 6
• HTTP, FTP, SMTP, DNS → Layer 7

11. Remember that the OSI model is conceptual.
In practice, real-world protocols do not always fit neatly into one layer. However, for the exam, treat the model as clearly defined with distinct boundaries between layers.

12. Practice with scenario-based questions.
The CC exam often uses scenarios. Practice identifying which OSI layer is relevant in real-world situations, such as: "A user cannot access a website. The security team discovers that the DNS server is not responding." – DNS operates at Layer 7 (Application).

By mastering the OSI model and understanding how security principles apply at each layer, you will be well-prepared to answer related questions on the ISC2 CC exam confidently and accurately.