Mastering CISSP Domain 4: Network security
This Security School is a free multimedia learning guide designed to help you understand and address the strategic and tactical implications of this topic.
Even if you're unfamiliar with networking, you've probably heard of the Open Systems Interconnection (OSI) model. Each of the seven OSI model layers depicts a different function in software or a hardware, representing different mechanisms through which devices communicate on a network.
Understanding the basic tenets of the OSI model is imperative to preparing for Domain 4, Communication and Network Security, of the CISSP certification exam. In this video, expert Adam Gordon, lead editor of the Official (ISC)² Guide to the CBK, Fourth Edition, guides viewers through each of the OSI model layers, as well as their relevant sub-layers and protocols.
CISSP® is a registered mark of (ISC)².
The following is a full transcript of Adam Gordon's video.
Transcript - The OSI model layers explained: Get to know the network
Hello and welcome to our discussion around Applying Secure Design Principles to Network Architectures. We'll be taking a look at the following topics within the module. If you take a look on the screen in front of you, you'll see we're going to be talking about layering models, open system interconnect models, so what the OSI model layers are. The TCP/IP reference model, how the two are related to one another, how they differ. Internet protocol networking, so what is IP? How do we apply it? How do we use it? Directory services, LDAP-based solutions. HTTP proxying. The implication of multilayer protocols, converged protocols, multi-protocol label switching (MPLS), voice over internet protocol (VoIP). We'll take a look at wireless technologies and wireless networks. We'll talk about spread spectrum. We'll take a look at wireless security issues, cryptography to maintain communication security. We'll talk about how certificates are used, and the securing of networking components.
As we begin our conversations around layering and layering models, there are two very common layering models, the OSI model layers and the TCP/IP or Department of Defense, what's commonly known as the DoD model that we often refer to. They help us to understand how to put the organizational thought process and the formality around what happens in the network top to bottom as we move to process information into perspective. Why don't we take a look at both? We'll start with the OSI model, and begin to deconstruct it, help us to understand what it is, what layers make it up, what functionality is at every OSI model layer. After we're done expounding on and explaining those things and compare the two, and see where they're similar, and also see where they're different.
Understanding the OSI model
We can see in front of us we have the model laid out. We have all the OSI model layers. Most of us probably have some background with the OSI model. You may have come across it before formally in studies around getting ready for a certification or learning more about networking. A lot of us if we have been network administrators or have background with this information, security professionals, you may have come into contact with one or more aspects of the OSI model at some point. But the reality is, regardless of how you get there, regardless of what you do or don't know about OSI model layers already, we're going to quickly go through, explain what happens in each layer, make sure we're comfortable with all the information about it. And then once we've done that we'll be able to move on and take a quick look at the DoD model, compare the two, and then continue our conversations.
The OSI model is a seven-layer model, you could see it laid out in front of you on the screen. Whether we go from the bottom up, from physical layer up through application, or from the top down, from the application down into physical and then out of the computer as a result, the model is bidirectional, so it does work in both directions. It doesn't matter which way the flow of information around the use of the model is going to be focused. We just have to make sure that we're constantly looking at the model with one thought process in terms of understanding all the interactions and OSI model layers on how they build on each other.
Layer 7: Application layer
If we start at the top with the application layer, you could see that we are talking about network-related application programs. This is going to be where users interact with the model. This is where perhaps me sitting at my computer, showing you information using PowerPoint or some sort of program on a screen are going to actually, or we are going to actually interact, and I'm going to be able to actually interact with and see the data. So this is an example of the application layer.
Layer 6: Presentation layer
So we move down from the application layer into the presentation layer, from Layer 7 down to Layer 6. We will see standardization of data presentation to applications occurring. This is going to be where we are translating, interacting with formatting and things of that nature. So we're taking data from the application layer and we are consistently understanding what's there. When we are moving up the OSI model layers, we are finalizing the presentation of that data, making it look pretty for users on the screen. As we're moving down the layer, we're taking that data, we're deconstructing it or beginning to anyway, taking a PowerPoint slide or a Word document or a web page, and starting to deconstruct it and breaking it down into its constituent parts. And ultimately, we're going to try to get that data reduced down into binary information that's going to flow in and out of the computer across the physical layers, connectivity devices, and out onto a network, to a LAN, and then ultimately to a WAN, to a determined endpoint somewhere else, be processed back up the model on the other side, and have that data ultimately reconstituted.
At the presentation layer, we're focusing on deconstructing the data, removing formatting, understanding data types, and beginning to deconstruct and delayer the data, move away from the formatting and the formality of the presentation of data that is in human ready format, and move it or start moving it down towards what ultimately become basically binary packetized data.
Layer 5: Session layer
So we moved down into this session layer, from 7, now through 6 to Layer 5. We're thinking about the management of sessions between applications. We're focusing on what I would think of is the rules of engagement or the rules of the game. The layering there or the appropriate functionality within the session layer is really going to be focusing on how we establish session connectivity, how we establish a session, a connection between two endpoints that's going to be used to exchange information, what the rules are that structure that layering, what the rules are that structure that session, and how we're then going to manage it, is what we focus in the session layer. We're not establishing the session there, but we're focusing on now to manage it, set it up, and ultimately what the engagement around that session will look like. We're going to establish that session and interact with it through the physical layer at the bottom of the system model, or we're going to keep moving down in order to get there.
Layer 4: Transport layer
The transport layer. So we're now from seven to six to five down to four in the OSI model layers, in the transport layer. The transport layer is end-to-end error detection and correction. This is where we're going to package up data, where we're going to make sure, in this case, start deconstructing data into packets and packaging it up, and putting labels on it for shipping purposes to understand how to make sure it gets to where it needs to go, making sure that we understand how to packet it up safely and securely so that way we have a header, we have our data packet in the middle, whatever the data frame is going to contain. And we have the trailer of the data packet, the header is going to have the addressing information, the send to and from information, the protocols and all those things. And then on the trailer on the backend of the data packet, we're going to have error control and correction. So we're going to have the ability to basically sandwich our data in between two areas, we're going to act as shipping container information, and act as error control management information, and these two things, sandwich and package, in such a way the data between them that it protects the data and ensures that it will get there.
Layer 3: Network layer
I'm at the networking layer, so we move down into Layer 3 of the OSI model layers. We're thinking of management of connections across the network. How do we set up, maintain and manage those connections? How're we going to be able to use Layer 3 functionality? For instance, to be able to route data from point A to point B using Internet Protocol routing. Whereas in at Layer 4 we're going to be looking at transport, we're going to be looking at TCP, and so obviously TCP/IP, that's two protocols combined together in functionality, are going to be operating across Layer 4 and Layer 3. We're going to be looking at Internet Protocol connectivity at Layer 3, and looking at things like IP addressing and interacting with IP address in the data header at this layer.
Layer 2: Data link layer
In Layer 2, the data-link layer, reliable data delivery will include what are known as the LLC and MAC sublayers. Layer 2 of the model is the only layer that has identified sub-layers within it. The LLC layer, the logical link control layer and the MAC sub-layer, as in the MAC address, media access control sub-layer, these two sub-layers are going to add additional functionality, additional flavor, and additional functionality and thought processes to the mix that we are creating with the OSI model layers. We're going to be focusing on Layer 2 functionality here, so we're going to be looking at MAC addresses. Therefore, we're going to be able to look at how to deliver, send, or receive, and understand how to route information not based on IP at this layer but based on MAC addresses. So functionality here would include hardware like bridges as opposed to Layer 3 which would include routers, and certainly Layer 2 and Layer 3 can include switches in terms of functionality as well.
Layer 1: Physical layer
And then at Layer 1, physical layer of the OSI model, physical characteristics of the network media are discussed and interacted with. This is where if we turn a system around, look at it from the back if it's a desktop, or look at it on the side if it's a laptop, and we see where we plug in our network cable, or we look at the wireless network card and see where it connects and the actual connection that's being made. When we look at the physicality of connectivity, this is what we see at the physical layer. So we're looking at the actual network card itself, how fast is it? What kind of card is it? What kind of cabling are we using as a transmission medium, is it fiber optic, is it copper wire, is it wireless? These are things that we will concern ourselves with at the physical layer.
Understanding interactions between layers
When we add all the functionality together from Layer 7 through Layer 1, and we create that complete picture of data in an application being deconstructed through the various phases required to package it up, get it ready, and send it out onto the network, and then we move that data through the network, again, the LAN or the WAN or anything in between. And then, as a result, we come up against the defined endpoint where we are delivering to, let's just say hypothetically it's machine B, and machine A is where we send from. When we get to a machine B on the other side, we receive that packet at machine B, at Layer 1 of the physical layer of the OSI model. We then move the packet up into Layer 2. We do a quick analysis and a quick scan of the packet. We look at the header information. Make sure the MAC address matches at the sub-layer and the data-link layer. If the MAC address matches the receive MAC address, the send to in other words as opposed to the from, since we're receiving the packet, we will do a quick sanity check to make sure there are error control and correction that's been put in place, the LLC layer helps us to do that. We check the integrity of the packet. We check the address of the packet. If the MAC address matches our endpoint MAC address, and if the packet is seen to have integrity with the data, we will then continue processing the data up the OSI model through Layer 3 all the way up through Layer 7.
If we see that the MAC address doesn't match, we simply bundle the packet back up, in effect push it back out the physical layer and send it on its way because it's not meant for us. So the logic of the OSI model layers allows us to both process data from an application all the way out through the send function, across the wire, and then back up the other side into the recipient endpoint, make sure that there's a sanity check there for proper address, proper data type and validity. Make user there's no error there, and if there is we then go ahead and we process that data. And then if there is some sort of problem we push the packet away. We may ask for a resend if it's a TCP-based packet, with some sort of 3-way handshake and validation of recipient and sender information. If it is a UDP-based packet connection list, no guarantee of delivery, we're simply going to keep streaming media, keep streaming information, and hope that the application knows how to make up the difference. Whatever that functionality is at the end of the day, this is what the OSI model represents for us.
So when we think about the OSI model layers, we have to think about this holistic approach, this holistic vision of how data moves through a system, and then out of that system, across the network into another system, and how we reverse the order, the processing of that model on the other side to represent that functionality in reverse. Remember the OSI model is seven layers, it is bidirectional, and it allows us to understand the functionality at each layer by clearly describing, clearly defining what the end result, what the function is of that layer as we handoff data from one layer to the next going down, we move data up the model one layer at a time from lower to higher layers as we process.
Deeper dive: Sub-layers and protocols
Layer 1, remember is the physical layer as we've already described. I've overviewed all the OSI model layers for you, we'll just quickly summarize with some additional slides as we go. So physical topologies are defined at this layer, at Layer 1.
Layer 2, the data-link layer, this is where we are going to make sure that we are taking the final look at error control and correction of the data on the way out with the LLC sub-layer, taking the first look for error control and correction, and validity, and integrity of the packet coming into the model. So it's our last chance to get things right going out, our first chance is to validate things that are good coming in.
Layer 3, then network layer of the OSI model, we are going to be making sure that we are relying on as we talked about not MAC addressing, which is the hardware-based addressing from Layer 2, but at Layer 3 the IP address is being used. Layer 3 devices from a hardware perspective remember, will be routers, whereas Layer 2 devices will typically be bridges and of course switches, and we can see switches at Layer 3 as well, but we traditionally ascribe enormous switch functionality to Layer 2.
Layer 3 is going to handle IP or use Internet-based protocols, IP Protocols as we've talked about. Remember that the IP protocol combined with TCP, TCP/IP together is how we often referred to the two, is used to be able to send and receive information using a connection-oriented, guaranteed delivery process. So just keep that in mind. We address, we do focus on IP in relation to addressing, and also in packet for augmentation and focus on what the IP addressing manager is for. Is there in terms of being able to break up data into smaller segments or packets, give them a unique identifier, so some sort of an offset ID that allows us to say, "Oh, you're packet 5 of 20," and then we tag you and send you on your own way. And on the other side, in the send-receive buffer, when we get the packets we have to then reorder them, put them back together based on that 5 of 20, 4 of 20, 10 of 20 identifiers, stitch the packets together so that they ultimately received and processed in order. So this is what IP allows us to be able to do.
Layer 3 devices as I said are going to be things like routers, certainly switches make us to Layer 3, but do understand that we traditionally ascribe a switch, a traditional switch to a Layer 2 position. Layer 3 protocols aside from IP will also include things like OSPF, IGMP, you may be familiar with one or more of these protocols by the way. Both IPv4 and IPv6 will be found at Layer 3. DVMRP, which is distance vector multicast routing protocol, and IPsec. Probably you have some familiarity with one or more of these. Certainly IGMP which is going to be fairly common, IPv4 which we all know, and I'm sure all love, IPv6 which may not be as common for some of us but is going to become more common and more prevalent over time, and all the other protocols that we talk about are all ascribed to a Layer 3 functionality specification.
It would be important for this CISSP to make sure that they are aware of the kinds of protocols that exist at certain OSI model layers. If we ever asked, what layer of the model does this protocol function at? So it's good to be able to know the answer to that question, and you could see 5 of the common protocols ascribed to Layer 3 sitting on the screen in front of you.
Layer 4, the transport layer as we said creates that end-to-end transportation mechanism between the hosts, the TCP protocol is brought to bear here. Both TCP and UDP exist at Layer 4. Remember TCP, transmission control protocol is going to do the guaranteed delivery and the 3-way handshake that we think about in relation to guaranteed delivery for session management. Whereas UDP, User Datagram Protocol, is considered to be connectionless, meaning it is not a guaranteed delivery protocol, but rather what we call a send and forget protocol as opposed to a send and then acknowledge protocol which is what TCP is often referred to as.
Speaking of UDP, that's what we talked about, it does not ensure the transmissions are received without errors, and it’s considered to be a class protocol or a protocol that's classified as a connectionless, and therefore unreliable protocol. We do tend to use it with streaming media solutions. So when you're watching a movie on Netflix or you're doing something like that, or streaming music or whatever it maybe, UDP is going to be the protocol that's typically used to carry that traffic. Because we could drop a frame here or there and not miss anything overall. If a frame rate, a flicker rate for the movie that you're watching is 30 frames per second and we drop 2 frames per second, you're not really going to miss any action, the movie is going to appear as if it was fully vested with all the frames there. So it doesn't really matter as much if we are dropping one or two packets here or there.
But when we do something like voice transmission, when we're actually talking to somebody, when we're sending packetized data that has to get there and be reconstructed into a Word document on the far side, so that way we know we can print it out and there are no errors, then TCP becomes very important, because we have to guarantee that delivery and ensure that every packet shows up. And not just that it shows up, but that it shows up and is put back together again in the proper sequence store that allows us to interact with the data correctly. The number 5 of 10, number 3 of 5 packet identifier has to be used to stitch that traffic back together again.
I've mentioned the TCP 3-way handshake earlier in our discussion of the OSI model layers, we just want to make sure that we are aware of what the handshake is and how it functions. Take a look on the screen in front of you, you will see we have one endpoint over here. We'll call this a workstation on the left. We have another endpoint over here, it looks more like a server, we'll call that a server on the right. So between the endpoint and the server or between the sender and the recipient, what we're going to do is we're going to set up an initial request for communication. So the workstation is going to send a message over to the server saying, "Hey, I'd like to interact with you." "Hello, this is who I am, who are you?" So that's going to be SYN or a send of a packet that is asking to synchronize and establish connectivity.
So we send the initial SYN packet, the recipient of the initial SYN has to then respond back to us, so every SYN packet that is sent out has to have an ACK or an acknowledgment associated with it. And the way the handshake will work is that for every SYN we send out we expect an acknowledgment to come back and pair with that. And as long as we get an acknowledgment for everyone of this SYNs, we then effectively can say that the handshake was complete. So the 3-way handshake is the SYN, SYN/ACK, and then the ACK. Because what we have is, for the first SYN we are getting back an acknowledgment. We are then sending a secondary SYN, a SYN from the recipient now that's going to establish a connection going the other way. And then we need an acknowledgment for that SYN to come back to then fully setup and allow both parties to be able to talk to each other, and agree in effect to exchange information.
And so we refer to the 3-way handshake as a SYN, SYN/ACK, ACK exchange. Every SYN requires an ACK as we said, and as a result of that when we see all three of those packets going back and forth in the appropriate order, with the appropriate representation, we're then saying that we are able to establish the TCP connectivity through the 3-way handshake. Please make sure you're familiar with the idea of the 3-way handshake. Please make sure you're comfortable with the idea behind what it represents in terms of the ability for both parties to send and therefore agree on what communication will look like. And as a result, establish connectivity by agreeing through a SYN/ACK process that they're going to talk to each other.
At Layer 5, the session layer, remember we are providing the logical connections between the peer hosts. We're creating, maintaining, and turning down the sessions at this layer. We're going to govern and control all the rules associated with those sessions. We want to make sure we're aware of that and thinking about that. So session layer, functionality at Layer 5, protocols associated with the session layer, things like Password Authentication Protocol (PAP), Point-to-Point Tunneling Protocol (PPTP) and/or RPC, Remote Procedure Call, or all protocols that will typically be found at Layer 5.
We may have some familiarity, you may have some familiarity with PPTP. You may also know other protocols that are tunneling protocols such as L2TP which is tunneling at Layer 2 as opposed to Layer 5 of the OSI model. So we have different kinds of protocols, different kinds of tunneling protocols that may exist at the different layers of the model depending on what it is that we're looking to accomplish and do.
Layer 6, the presentation layer, this provides services ensuring that applications use a common data formats to represent data. The two formats that are most commonly used as you can see are the ASCII and/or EBCDIC formatting. ASCII is the American Standard Code for Information Interchange, and EBCDIC, Extended Binary Code Decimal Interchange Code, this is going to be the name or the extended acronym name for the two format types, the most common of the two format types that are used. So just be aware of the fact that these format types will exist at Layer 6 of the OSI model layers.
At Layer 7, the application layer of the OSI model as we discussed, this is where applications are able to interact with the "portal" or the entry way or the gateway into the stack, the networking stack to process their information. When an application is going to be able to send or receive data or transmit data over the network, it will use services from this layer to access all of the other layers and to be able to ultimately prepare for and then process the data that requires the sending or receiving across the wire. The application layer is going to be where we find APIs, application program interfaces that allow us to be able to call functionality and interact with services, and interact with data from within the system and across the network and across the web with other systems.