Security In OSI Stack

Introduction to the OSI layer

How OSI was created and why
Comparison with TCP/IP
Layers :
Application layer
Presentation layer
Session layer
Transport layer
Network layer
Data link layer
Physical layer
Conclusion
Resources
Open Systems Interconnection (OSI)
Each layer support the layers above it and
offers services to the layers below
Each layer performs unique and specific task
A layer only has knowledge of its neighbour
layers only
A layer service is independent of the
implementation

3
An attempt for a framework for developing
networking technologies
OSI became a tool for explaining the
Networking in general
Before OSI was created people created their
Software/Hardware as they wanted it to be.
There was not any compatibility. Now OSI is
used as a rule set for all vendors to create their
Software/Hardware by using the standards.
Protocol Reference Model of OSI

II OSI Overview

1. OSI - layered framework for the design of

network systems that allows communication
across all types of computer systems.

2. The OSI 7 Layers. ( Brief functional

overview. )

3. Vertical and horizontal communication

between the layers using interfaces. (defines
what information and services should the
layer provide to the layer above it. )
• Connection & termination to
media.
• Modulation – conversion of
digital data to signals

Points 2 remember
Parallel SCSI buses operate in this layer
PS: Logical SCSI protocol is transport layer protocol & runs over this bus
DATA UNIT: BIT
 VULNERABILITIES
• Van Eck Phreaking -- remote eavesdropping on the
signals in CRT or VDT

• Loss of Power &/or Environmental Control

• Physical Theft, Damage or Destruction of Data And

Hardware

• Unauthorised changes to the functional environment

(data connections, removable media, adding/removing
resources)

• Disconnection of Physical Data Links

• Undetectable Interception of Data
• Keystroke & Other Input Logging
 CONTROLS
• Locked perimeters and enclosures

• Electronic lock mechanisms for logging & detailed

authorisation

• Video & Audio Surveillance

• PIN & password secured locks

• Biometric authentication systems

• Data Storage Cryptography

• Electromagnetic Shielding
• physical addressing; Bridges, Layer 2 Switches

• network topology

• line discipline (how end systems will use the network link)

• error notification

• ordered delivery of frames

Points 2 remember
Flow control using selective repeat Sliding Window Protocol.
Arrange bits into logical sequences called frames
DATA UNIT: FRAMES
 LLC LAYER

•Connections b/w applications running on a LAN

•flow control to the upper layer by means
of ready/not ready codes
• sequence control bits.
MAC LAYER
• Provides orderly access to the LAN
medium.
• defines a hardware, or data-link address
called the "MAC address"
 VULNERABILITIES
• War-driving – traveling around public areas & randomly accessing
802.11 wireless access points with lax or default security settings

• MAC Address /ARP Spoofing

• VLAN circumvention
• Spanning Tree errors

• Switches
– VLAN trunking protocol vulnerabilities
– negotiate access to multiple VLANs
-- VLAN traffic flooding
Points 2 remember
Wardriving is layer 1 & 2 vulnerability
 CONTROLS
• MAC Address Filtering- Identifying stations by
address and cross-referencing physical port or
logical access

• Do not use VLANs to enforce secure designs.

Physically isolated from one another, with policy
engines such as firewalls between.

• Wireless applications must be carefully evaluated

for unauthorised access exposure.
• Quality of service requested by the Transport Layer
• Routing
• Path determination
• Devices:-
– IP, IPX, Routers, Routing Protocols
(RIP, IGRP, OSPF, BGP etc.), ARP, RARP, ICMP.

Points 2 remember
Might perform fragmentation and reassembly, and report
delivery errors.
DATA UNIT: PACKET
 VULNERABILITIES
• Route spoofing - propagation of false network topology
• IP Address Spoofing- false source addressing on malicious packets
• Identity & Resource ID Vulnerability - Reliance on addressing to identify resour
 CONTROLS

• Route policy controls - Use strict anti-spoofing and

route filters at network edges
• Firewalls with strong filter & anti-spoof policy
• ARP/Broadcast monitoring software
• Implementations that minimise
the ability to abuse protocol features such
as broadcast
• Multiplexing upper layer applications the establishment,
maintenance, and orderly termination of virtual circuits

• Sequencing – Acknowledgements &

Flow Control (Windowing)

• Transport fault detection and

recovery

• Tunnelings protocol operate at

the Transport Layer
Points 2 remember
Perform segmentation and reassembly, and report delivery
errors.
DATA UNIT: SEGMENT
 VULNERABILITIES
• Mishandling of undefined, poorly defined, or
“illegal” conditions
• Differences in transport protocol implementation
allow “fingerprinting’ and other enumeration of
host information
• Overloading of transport-layer mechanisms such as
port numbers limit the ability to effectively filter
and qualify traffic.
• Transmission mechanisms can be subject to
spoofing
 CONTROLS
• Strict firewall rules limiting access to specific Transmission
protocols & subprotocol information such as TCP/UDP port
number or ICMP type

• Stateful inspection at firewall layer,

preventing out-of-state packets “illegal”
flags & other phony packet profiles
from entering the perimeter

• Stronger transmission and layer session

Identification mechanisms to prevent
the attack and takeover of
communications
• Control i.e. establishes, manages and terminates
dialogues or "sessions“

• Establishes checkpointing, adjournment,

termination, and restart procedures

• Dialogs can be
– simplex (one-way)
– half-duplex (alternate)
– full-duplex (bi-directional)
Points 2 remember
Implemented explicitly in application environments that use
remote procedure calls.
DATA UNIT: SPDU
 VULNERABILITIES
• Weak or non-existent authentication mechanisms

• Passing of session credentials such as user ID and

password in the clear, allowing intercept and
unauthorised use

• Session identification may be subject to spoofing

and hijack

• Leakage of information based on failed

authentication attempts

• Unlimited failed sessions allow brute-force attacks

on access credentials
 CONTROLS
• Encrypted password exchange and storage

• Accounts have specific expirations

for credentials and authorisation

• Protect session identification

information via cryptographic
random means

• Limit failed session attempts via timing mechanism, not

lockout
• Mapping different syntax and semantics
• Formats and encrypts data to be sent across a
network.
• Serialisation of objects & data structures
• Data Compression, Encryption
 VULNERABILITIES
• Poor handling of unexpected input can lead to
execute arbitrary instructions.
• Unintentional or ill-advised use of externally
supplied input in control contexts may allow
remote manipulation or information leakage.
• Cryptographic flaws may be exploited to
circumvent privacy protections

Points 2 remember
Format String Vulnerability & Buffer Overflow
DATA UNIT: PPDU
 CONTROLS
• Careful specification and checking of received input
incoming into applications or library functions

• Separation of user input and program

control functions
– sanitised input

• Careful and continuous review

of cryptography solutions
• Provides a set of interfaces for applications to
obtain access to networked services
• End-user interface
• Performing input to and output from mass
storage devices.
• Transferring information to hosts
 VULNERABILITIES
• Open design issues allow free use of application resources by unintended
parties

• Backdoors and application design flaws bypass standard security controls

• Inadequate security controls force “all-

or-nothing” approach, resulting in either
excessive or insufficient access.

• Overly complex application security controls

tend to be bypassed or poorly understood
and implemented.

• Program logic flaws may be accidentally or purposely used to

crash programs or cause undesired behaviour
 CONTROLS
• Application level access controls to define and enforce
access to application resources. Controls must be detailed,
flexible, straightforward.

• Standards, testing, and review of

application code and functionality-A
baseline.

• IDS systems to monitor application activity

• Host-based firewall systems can regulate traffic by

application, preventing unauthorised or covert use of the
network
Protocol Reference Model of OSI

OSI Summary
Protocol Reference Model of OSI
I History
1. The need for standardisation
- many vendors, no interoperability
- no common framework

2. ISO and CCITT came up with

OSI (Open System Intercommunication) in 1984.

3. OSI Protocol Suite – unaccepted by vendors

and users. (TCP won)

4. OSI – a standard, which allows

communication between different systems
without requiring changes to the logic of the
underlying hardware and software.
Protocol Reference Model of OSI
Layer abstraction and the path of the message
Protocol Reference Model of OSI

OSI Overview

4. Data Encapsulation
a) PDU conception – each
protocol on the diff. layer
has its own format.
b) Headers are added while
a packet is going down the
stack at each layer.
c) Trailers are usually added
on the second layer.
Pretty similar to OSI
TCP/IP has less layers(four)
Main difference in layers is after layer 4
Applications and Services run on it
Enables human network to interface the underlying data network
Applications on that layer (E-mail clients, web browsers, Chats,
etc.) – top-stack applications (As people are on the top of the
stack)
Applications provide people with a way to create message
Application layer services establish an interface to the network
Protocols provide the rules and formats that govern how data is
treated
Protocols on the destination and the host must match
Protocol Reference Model of OSI

III The OSI Layers

7. Application Layer

◦ Provides user interfaces and

support for services
◦ Resource sharing and device
redirection
◦ Remote file access
◦ Remote printer access
◦ Inter-process communication
◦ Network management
◦ Directory services
◦ Electronic messaging (such as
mail)
◦ Network virtual terminals
Coding and conversion of Application layer data to ensure that data from
the source device can be interpreted by the appropriate application on the
destination device.
Compression of the data in a manner that can be decompressed by the
destination device.
Encryption of the data for transmission and the decryption of data upon
receipt by the destination.
This is the layer at which application programmers consider data structure
and presentation
Examples: GIF, JPEG, TIFF, etc.
Sometimes n distinction is made between the presentation and application
layers. For example http/https. HTTP is generally regarded as an
application layer protocol although it has Presentation layer aspects
such as the ability t identify character encoding for roper conversion
Protocol Reference Model of OSI

The OSI Layers

6. Presentation Layer

◦ Translation (connects different

computer systems)
◦ Compression (transmission
efficiency)
◦ Encryption (SSL security)
Functions at this layer create and maintain
dialogs between source and destination
applications
Authentication
Permissions
Session Restoration (Checkpoint or recovery)
Protocol Reference Model of OSI

The OSI Layers

5. Session Layer

◦ Session establishment,
maintenance and termination
(Deciding who sends, and
when.)
◦ Session support (security,
name recognition, logging )
Tracking the individual communication between applications on the
source and destination hosts
Segmenting data and managing each piece
Reassembling the segments into streams of application data
Identifying the different applications
Conversation Multiplexing
Segments
Connection-oriented conversations
Reliable delivery
Ordered data reconstruction
Flow control
TCP – Web Browser
UDP – Video Streaming Applications
Protocol Reference Model of OSI

The OSI Layers

4. Transport Layer

◦ Connectionless and connection-

oriented services
◦ Process-Level Addressing
◦ Multiplexing and Demultiplexing
◦ Segmentation, Packaging and
Reassembly
◦ Connection Establishment,
Management and Termination
◦ Acknowledgments and
Retransmissions
◦ Flow Control
Addressing (IPV4)
Encapsulation (Inserts a header with source
and destination IPs)
Routing (Move a packet over the Internet)
Decapsulation (Open the packet and check the
destination host)
IP is connectionless
Protocol Reference Model of OSI

The OSI Layers

3. Network Layer

◦ Logical Addressing
◦ Routing (where the packet is
destinated to)
◦ Datagram Encapsulation
◦ Fragmentation and Reassembly
(handling too big packets )
◦ Error Handling and Diagnostics (
using status messages for example
)
Protocol Reference Model of OSI
End to end packet delivery
It is the role of the OSI Data Link layer to prepare Network layer packets for
transmission and to control access to the physical media.
Allows the upper layers to access the media using techniques such as framing
Controls how data is placed onto the media and is received from the media
using techniques such as media access control and error detection
Frame - The Data Link layer PDU
Node - The Layer 2 notation for network devices connected to a common
medium
Media/medium - The physical means for the transfer of information between
two nodes
Network - Two or more nodes connected to a common medium
The Data Link layer is responsible for the exchange of frames between nodes
over the media of a physical network.
Protocol Reference Model of OSI

The OSI Layers

2. Data Link Layer
2.1. Logical Link Control (LLC )
◦ Establishment and control of logical
links between local devices on a
network.
2.2. Media Access Control (MAC)
◦ The procedures used by devices to
control access to the network medium.
◦
• Frame sequencing
• Frame acknowledgment
• Addressing
• Frame delimiting
• Frame error checking
• PDU: frame
The role of the Physical layer is to encode the
binary digits that represent Data Link layer
frames into signals and to transmit and
receive these signals across the physical
media that connect network devices.
Copper cable
Fiber
Wireless
Protocol Reference Model of OSI

The OSI Layers

1. Physical Layer

• Definition of Hardware Specifications

(of cables, connectors, wireless radio
transceivers, network interface cards
)
• Encoding and Signalling (bit
representation)
• Data Transmission and Reception
(half duplex, full duplex )
• Topology and Physical Network
Design (mesh, ring, bus)
1. PDU: bit
The way people learn Networking
A standard for software
A standard for hardware
Seven layers architecture
Each layer independent on the others
Similar to TCP/IP(TCP/IP explained)
OSI is used as a model for developing network
aware applications(Here I mean that people
use its structure to model software)