Can S/MIME, XML and IPsec operate in one protocol layer?
Is it possible (or even feasible) to have a universal security system at one layer in the protocol stack? Could you, for example, have S/MIME and XML with IPsec operating all in one layer?
It is possible to build security systems that reside within a single layer of the OSI model, but I'm not quite sure why you would want to limit yourself. The OSI model is really a theoretical device used to help explain how the network and Internet functions. When you secure Web communications using SSL, you're technically using a single layer of the OSI model since SSL works at the transport layer. The security paradigm of defense in depth
dictates that more should be done to protect the infrastructure. For example, use a firewall operating at the network layer to limit the traffic reaching the Web server. To block known malicious traffic, you probably also want to implement an intrusion prevention system working at all layers from network through application..
Your question points at this paradigm as well. You mentioned the use of three different technologies in your security system: XML with S/MIME and IPsec. Each of these operates at a different layer of the OSI model: S/MIME runs at the application layer, IPsec runs at the network layer and XML is a presentation layer protocol.
This was first published in April 2009