Learn TCP/IP Networking The OSI Model
Lesson 2 of 12

The OSI Model

33 min read

The OSI Model — Seven Layers of Network Communication

Why Start Here

Before examining specific protocols like TCP, IP, or DNS, you need a framework — a map that shows you where each protocol lives, what job it does, and how it relates to everything else. The OSI model is that map. It is the conceptual framework that every networking professional and security researcher uses to describe, diagnose, and discuss network communication.

If you have ever heard someone say "that's a Layer 3 problem" or "this attack operates at the application layer," they were using OSI terminology. Once you understand the model, that kind of language becomes immediately meaningful. Without it, you are navigating without coordinates.

What the OSI Model Is

OSI stands for Open Systems Interconnection. The OSI model is a conceptual framework published by ISO — the International Organization for Standardization — in 1984. It describes how network communication can be broken into seven distinct, ordered layers, each with a specific and well-defined responsibility.

The word "conceptual" is important. The OSI model is a reference model — it describes the ideal, not necessarily the exact reality. Real TCP/IP networking does not follow OSI precisely. For example, TCP/IP collapses several OSI layers into one and does not cleanly separate session management from application logic. Despite this, OSI remains the universal language of networking because it provides a precise vocabulary for describing where something happens in the communication process.

Think of the OSI model as a building's floor plan. The building may not be built exactly as the plan specifies — rooms may be combined, purposes may shift — but the plan still gives you a shared vocabulary for saying "the problem is on the third floor" or "we need to add a feature to the lobby."

The OSI model matters for cybersecurity because attacks can target any layer. A well-rounded security professional needs to be able to look at an attack and know which layer it targets, because that determines what kind of defense applies. A problem at Layer 1 requires a physical response. A problem at Layer 7 requires application-level filtering. Diagnosing incorrectly costs time, resources, and in some cases, the ability to stop the attack at all.

Why Layers Exist: The Principle of Separation of Concerns

The engineers who designed the OSI model were trying to solve a real organizational problem: how do you build complex systems that different vendors can implement independently, that can be upgraded in pieces without breaking everything else, and that are simple enough for human beings to understand and debug?

The answer was separation of concerns. Each layer is assigned exactly one category of responsibility. A layer does its job and nothing else. It uses the services provided by the layer below it and provides services to the layer above it, but it does not need to know how those other layers work internally.

This principle has enormous practical consequences:

A firmware update to a network interface card — which operates at the physical layer — does not break your web browser — which operates at the application layer. The two layers are insulated from each other.

If a web page fails to load, you can work through the layers systematically: Is the cable plugged in? (Layer 1) Is the switch forwarding traffic? (Layer 2) Is the IP route correct? (Layer 3) Is the TCP connection completing? (Layer 4) Is the web server responding? (Layer 7) This structured troubleshooting is only possible because the layers are separated.

For security, separation of concerns means that defenses can be applied at specific layers without requiring changes throughout the entire stack. A firewall works at Layers 3 and 4 without needing to understand the application-layer content it is filtering. An intrusion detection system can analyze Layer 7 content without needing to care about which physical medium the traffic arrived on.

The Mnemonic

The seven layers of the OSI model, from Layer 1 at the bottom to Layer 7 at the top, are:

  1. Physical
  2. Data Link
  3. Network
  4. Transport
  5. Session
  6. Presentation
  7. Application

A widely used mnemonic to remember them from bottom to top is: "Please Do Not Throw Sausage Pizza Away."

Some people find it easier to remember from top to bottom (Application down to Physical): "All People Seem To Need Data Processing."

Both mnemonics work — use whichever sticks for you. The important thing is being able to recite the layers in order, because the numbering is used constantly in professional contexts.

The Seven Layers in Detail

Layer 1 — Physical

Layer 1 is the Physical layer. It is the lowest layer of the OSI model and the most literal: it deals with the actual physical medium through which data travels.

At this layer, the concept of data as bits — ones and zeros — is translated into physical signals appropriate for the medium being used:

  • For copper cables (like Ethernet cables), bits are encoded as electrical voltage levels
  • For fiber optic cables, bits are encoded as pulses of light
  • For wireless connections (Wi-Fi, Bluetooth, cellular), bits are encoded as radio waves at specific frequencies

The Physical layer knows nothing about addresses, protocols, or the meaning of the data being transmitted. It does not know whether a signal represents part of a web page, an email, or an encrypted file. Its only job is to convert the bit stream into a signal and put that signal onto the medium, or to receive a signal from the medium and convert it back into a bit stream.

Devices and components that operate primarily at Layer 1 include:

  • Network cables (Ethernet, fiber optic, coaxial)
  • Hubs — older devices that repeat a received signal out all ports without any intelligence about addressing
  • Repeaters — devices that regenerate a signal to extend transmission distance
  • Wireless access points at the radio frequency level

Security relevance of Layer 1 is fundamental: physical access is total access. No amount of software security can fully protect against an adversary with physical access to the medium. At Layer 1, the following threats are relevant:

Wiretapping involves physically connecting to a copper cable or using induction to read the electromagnetic fields the cable generates, capturing the raw bit stream without disrupting the connection. On fiber optic cables, tapping is more difficult but still possible with specialized equipment.

Hardware keyloggers are small devices physically inserted between a keyboard cable and a computer. They operate entirely at the physical signal level and capture keystrokes before any software layer is involved.

Rogue access points are unauthorized wireless access points set up by an attacker within range of legitimate users. At the radio frequency level, they can capture traffic from users who unknowingly connect to them. Because Wi-Fi operates at Layer 1, users connecting to a rogue access point may see no software warning that anything is wrong.

The principle that "physical access equals total access" is why data centers, server rooms, and network closets are protected with badge access, cameras, and in some cases man-traps (entry systems that only allow one person through at a time). Physical security is cybersecurity.

Layer 2 — Data Link

Layer 2 is the Data Link layer. It handles communication between devices that are on the same local network segment — meaning devices connected directly to the same switch, hub, or wireless access point. It does not deal with communication across different networks; that is Layer 3's job.

The key concept at Layer 2 is the MAC address. MAC stands for Media Access Control. A MAC address is a 48-bit hardware address that is assigned to a network interface card (NIC) — the hardware component in your computer, phone, or any networked device that connects it to the network. MAC addresses are typically written as six pairs of hexadecimal digits separated by colons, like this: 00:1A:2B:3C:4D:5E. The first three pairs (24 bits) identify the manufacturer of the NIC; the last three pairs (24 bits) are a unique identifier assigned by the manufacturer. This is called the OUI — Organizationally Unique Identifier — structure.

Unlike IP addresses, which are assigned logically and can change, MAC addresses are burned into the hardware at the factory. However, they can be spoofed in software — a fact that is highly relevant to security.

What Layer 2 does:

Framing: Layer 2 packages raw data into structured units called frames. A frame includes a header containing the source MAC address and the destination MAC address, and a trailer containing a CRC — Cyclic Redundancy Check — value used for error detection. When a frame arrives at its destination, the CRC is recalculated and compared to the value in the trailer. If they do not match, the frame was corrupted in transit and is discarded.

Medium access control: When multiple devices share the same medium (as they do on a Wi-Fi network or an older Ethernet hub), they need rules for deciding who can transmit when. The Ethernet standard uses CSMA/CD — Carrier Sense Multiple Access with Collision Detection. This means: before transmitting, listen to see if anyone else is transmitting (Carrier Sense); if the channel is free, transmit; if two devices transmit at the same time and their signals collide (Collision Detection), both back off and retry after a random delay. Modern switched networks largely eliminate collisions because switches create a separate collision domain for each port.

Layer 2 has two sublayers:

  • The LLC sublayer — Logical Link Control — handles flow control and error checking, and provides an interface to Layer 3
  • The MAC sublayer — Media Access Control — handles addressing and controls access to the shared medium

Devices that operate at Layer 2 include:

Switches — the most common Layer 2 device. A switch maintains a table mapping MAC addresses to the physical ports on the switch. When a frame arrives, the switch looks up the destination MAC address, finds the port it is connected to, and forwards the frame only to that port. This is more efficient and more secure than a hub, which broadcasts every frame to every port.

Network interface cards (NICs) — the hardware in each device that implements Layer 2 addressing and framing.

Bridges — older devices that connect two network segments at Layer 2 and filter traffic between them based on MAC addresses.

Security relevance of Layer 2 is significant because it is the layer most directly involved in local network communication, and local networks are where many attacks originate:

MAC address spoofing: As noted, MAC addresses can be changed in software despite being burned into hardware. An attacker can configure their NIC to use any MAC address they choose. This allows them to impersonate another device on the network, bypass MAC-based access controls, or hide their true identity.

ARP spoofing: ARP — Address Resolution Protocol — operates between Layers 2 and 3 and is covered in its own file in this section. The short version: ARP poisoning allows an attacker to redirect traffic intended for one device to their own machine by sending forged ARP messages that associate their MAC address with another device's IP address. This is a foundational man-in-the-middle attack technique.

VLAN hopping: VLANs — Virtual Local Area Networks — are a Layer 2 mechanism for segmenting a physical network into separate logical networks. VLAN hopping attacks exploit weaknesses in how switches handle VLAN tagging to send traffic from one VLAN to another, bypassing the intended segmentation.

Switch flooding: Switches learn MAC addresses by watching which frames arrive on which ports. An attacker can flood a switch with frames containing randomly generated, never-before-seen MAC addresses, filling the switch's MAC address table. Once the table is full, the switch cannot learn new addresses and falls back to broadcasting all frames to all ports — turning a switch into a hub and allowing the attacker to see all traffic on the network.

Layer 3 — Network

Layer 3 is the Network layer. It handles communication between devices that are on different networks — the routing of data across the internet.

The key concept at Layer 3 is the IP address. IP stands for Internet Protocol, and IP addresses are the logical addresses that identify devices on a network. Unlike MAC addresses, which identify hardware and are scoped to a local network segment, IP addresses identify devices in the context of the broader internet and can be changed, reassigned, and configured.

There are currently two versions of IP in use:

IPv4 — IP version 4 — is the older and still dominant version. IPv4 addresses are 32-bit numbers written as four groups of decimal digits separated by dots (called dotted-decimal notation), like 192.168.1.1. Because 32 bits allows for approximately 4.3 billion unique addresses, and the internet has far more than 4.3 billion connected devices, IPv4 address space has been exhausted. Techniques like NAT — Network Address Translation — extend IPv4 by allowing many devices to share a single public IP address.

IPv6 — IP version 6 — was developed to address the exhaustion of IPv4 addresses. IPv6 addresses are 128 bits long, written as eight groups of four hexadecimal digits separated by colons, like 2001:0db8:85a3:0000:0000:8a2e:0370:7334. 128 bits allows for approximately 340 undecillion unique addresses — enough to assign a unique address to every atom on the surface of the Earth many times over.

What Layer 3 does:

Logical addressing: Every packet traveling through the internet carries a Layer 3 header that includes the source IP address and the destination IP address. These addresses tell every device in the path where the packet came from and where it is going.

Routing: Routers are Layer 3 devices. Their job is to receive incoming packets, look at the destination IP address, consult their routing table — a list of known network paths — and forward the packet toward the destination via the best available path. A packet traveling from your computer to a server in another country may pass through dozens of routers, each one making its own forwarding decision.

Fragmentation: If a packet is too large to pass through a particular network segment, Layer 3 can fragment it — break it into smaller pieces — for transmission, with the pieces being reassembled at the destination.

The data unit at Layer 3 is called a packet.

Devices at Layer 3:

Routers — the primary Layer 3 device. Routers connect different networks and make forwarding decisions based on IP addresses and routing tables.

Layer 3 switches — switches that can also perform routing, blending Layer 2 and Layer 3 functions.

Security relevance of Layer 3:

IP spoofing: An attacker can craft packets with a forged source IP address. This makes the packet appear to come from a different device than it actually does. IP spoofing is used in amplification attacks (where responses go to the spoofed target address instead of the real attacker), in anonymous scanning, and in certain denial-of-service techniques.

ICMP-based attacks: ICMP — Internet Control Message Protocol — operates at Layer 3 and is used for diagnostic messages. The classic ICMP attack is the ping flood, where an attacker sends enormous numbers of ICMP echo request packets to overwhelm a target. The Smurf attack was a historical ICMP amplification attack that exploited broadcast addresses.

Route poisoning and BGP hijacking: The routing protocols that determine how packets travel across the internet — particularly BGP, the Border Gateway Protocol — can be manipulated. Route poisoning introduces false routing information to misdirect traffic. BGP hijacking, in which an attacker announces that they can reach IP address ranges that actually belong to other organizations, has been used to intercept or redirect internet traffic at a massive scale.

Network scanning: Tools like Nmap send packets to IP address ranges to discover which devices are online and what services they are running. This is Layer 3 reconnaissance.

Layer 4 — Transport

Layer 4 is the Transport layer. It provides end-to-end communication between applications running on different devices. This is the layer where the distinction between TCP and UDP lives, and it is where the concept of ports is introduced.

The Transport layer is responsible for taking data from the application above it and delivering it to the correct application on the receiving end — not just to the correct device (that is Layer 3's job), but to the correct process running on that device.

Ports: A port is a number from 0 to 65,535 that identifies a specific application or service on a device. When a server is running a web server, it listens on port 80 (for HTTP — Hypertext Transfer Protocol) or port 443 (for HTTPS — HTTP Secure). When your browser connects to a web server, it sends packets to the server's IP address on port 80 or 443. The server knows to give those packets to the web server process, not to any of the dozens of other processes running on the machine.

The two main protocols at Layer 4 are TCP and UDP:

TCP — Transmission Control Protocol — provides reliable, ordered, error-checked delivery of data. It does this through several mechanisms:

The TCP three-way handshake is the process by which a TCP connection is established:

  1. The client sends a SYN (synchronize) packet to the server, indicating it wants to open a connection
  2. The server responds with a SYN-ACK (synchronize-acknowledge) packet, confirming it received the SYN and is ready
  3. The client sends an ACK (acknowledge) packet, confirming receipt of the SYN-ACK

After the handshake, both sides have established a connection and can exchange data. Every segment of data sent over TCP is acknowledged by the receiver, and unacknowledged segments are retransmitted. If segments arrive out of order, TCP reassembles them correctly before passing the data to the application.

TCP is used by applications where data integrity matters: web browsing, email, file transfers, remote access (SSH), and database queries all use TCP.

UDP — User Datagram Protocol — provides fast, lightweight delivery without any of TCP's guarantees. A UDP sender fires packets at the destination with no handshake, no acknowledgment, and no retransmission. If a packet is lost, it is gone. If packets arrive out of order, the application receives them out of order.

UDP's lack of overhead makes it preferable for applications where speed matters more than perfect delivery: real-time voice and video (where a slightly dropped frame is better than a delayed one), online gaming, DNS lookups (which are small and fast enough that a failed query can simply be retried), and streaming media.

The data unit at Layer 4 is a segment (for TCP) or a datagram (for UDP).

Security relevance of Layer 4:

SYN flood attacks: This is one of the most fundamental denial-of-service techniques. An attacker sends large numbers of TCP SYN packets to a server but never completes the handshake. The server allocates resources for each half-open connection and waits for the final ACK that never comes. When the server's half-open connection table fills up, it cannot accept new legitimate connections. SYN flood attacks exploited a core design feature of TCP — the resource allocation that happens before a connection is confirmed — and led to the development of mitigations like SYN cookies.

Port scanning: Before attacking a service, attackers typically scan a target to find which ports are open (meaning a service is listening there). Different types of port scans use different TCP or UDP packet combinations. Understanding TCP's state machine is essential to understanding why different scan types produce different results.

Session hijacking: Once a TCP connection is established, both sides track a sequence number that tells them where they are in the conversation. An attacker who can observe or predict these sequence numbers can inject forged packets into the connection or disconnect one party and take over their role in the conversation. Modern TCP implementations use randomized initial sequence numbers to make this harder, but session hijacking remains a relevant technique, especially in combination with ARP spoofing.

UDP amplification attacks: Many UDP-based services (DNS, NTP — Network Time Protocol, SSDP — Simple Service Discovery Protocol) respond to small queries with large responses. An attacker who spoofs a victim's IP address as the source of queries to these services causes the responses — which may be many times larger than the queries — to be directed at the victim, amplifying the attacker's bandwidth.

Layer 5 — Session

Layer 5 is the Session layer. It manages sessions — ongoing, organized conversations — between applications on different devices. Where Layer 4 handles the raw delivery of data, Layer 5 handles the organization of that delivery into meaningful exchanges.

A session is a structured interaction between two applications. When you connect to a database server and perform a series of queries, that series of interactions is a session. When you authenticate to a website and browse multiple pages, the server maintains a session so it knows who you are on each page request.

What Layer 5 does:

Session establishment, maintenance, and termination: Layer 5 defines how sessions are started, how they are kept alive while active, and how they are cleanly ended. This is different from the TCP connection (Layer 4) — a Layer 5 session may span multiple TCP connections if one drops and must be re-established.

Checkpointing: For long data transfers, Layer 5 can mark points in the transfer so that if the connection is interrupted, the transfer can resume from the last checkpoint rather than restarting from the beginning. This is particularly useful for large file transfers over unreliable connections.

Authentication negotiation: Some session-layer protocols handle authentication — confirming the identity of the parties before the session begins.

Examples of Session layer protocols and functions:

NetBIOS — Network Basic Input/Output System — is a session-layer protocol used primarily in Windows networking. It allows applications on different computers on a local network to communicate, and is used for name resolution and session management on Windows networks.

RPC — Remote Procedure Call — allows a program to execute a function (procedure) on a remote computer as if it were a local function call. The session layer manages the session in which the remote call takes place.

SQL sessions: When an application connects to a database using SQL — Structured Query Language — the connection establishes a session at Layer 5 that persists across multiple queries.

SIP — Session Initiation Protocol — used in VoIP (Voice over Internet Protocol) and video conferencing, manages the session of a call: establishing it, maintaining it while both parties are connected, and ending it when the call is done.

Security relevance of Layer 5:

Session hijacking at the application level: If an attacker can take over a session — by stealing a session token, exploiting predictable session IDs, or through session fixation (where the attacker forces a victim to use a session ID chosen by the attacker) — they can impersonate the victim without needing their password.

Session fixation: An attacker sets up a session with a known session ID, then tricks a victim into authenticating within that same session. Once the victim authenticates, the attacker already knows the session ID and can use it to access the victim's account.

Insufficient session termination: Applications that do not properly terminate sessions leave session tokens valid after logout, creating a window in which a stolen token can be replayed.

Layer 6 — Presentation

Layer 6 is the Presentation layer. It is responsible for translating data between the format used by the application and the format used by the network. It handles the representation of data — how it is encoded, compressed, and encrypted.

Think of Layer 6 as a translator and data formatter. If Layer 7 is where the conversation happens, Layer 6 is responsible for making sure both parties understand the same language (encoding), that the conversation is conducted in private (encryption), and that the conversation is as efficient as possible (compression).

What Layer 6 does:

Data encoding and translation: Different systems may use different character encodings. ASCII — American Standard Code for Information Interchange — encodes English characters in 7 bits. UTF-8 — UCS Transformation Format, 8-bit — is a more modern encoding that can represent characters from every writing system in the world. When two systems with different native encodings communicate, Layer 6 handles the translation so the application layer sees coherent data.

Encryption and decryption: When data is encrypted for transmission, the encryption is often conceptually assigned to Layer 6. The most widely used example is TLS — Transport Layer Security, the protocol that provides the "S" in HTTPS. TLS encrypts the data before it is transmitted and decrypts it on receipt, so the application layer can work with plaintext while the network only sees ciphertext. (Note: in practice, TLS spans multiple layers — it has session-like characteristics at Layer 5 and uses Layer 4 transport — but it is often described as a Layer 6 function in the OSI context.)

Compression and decompression: To reduce the amount of data transmitted, Layer 6 can compress data before sending and decompress it on receipt. Common compression formats like JPEG (for images), MPEG (for video), and gzip (for general data) are Layer 6 functions.

Examples: SSL — Secure Sockets Layer — is the predecessor to TLS, now deprecated but still frequently mentioned. Character encoding standards like ASCII and UTF-8. Image formats like JPEG. Video formats like MPEG. Data serialization formats like JSON (JavaScript Object Notation) and XML (Extensible Markup Language).

Security relevance of Layer 6:

TLS stripping attacks: An attacker positioned between a client and server can downgrade an HTTPS connection to HTTP by intercepting the initial request and preventing the TLS negotiation. The client then communicates in plaintext, exposing credentials and data. Defenses include HSTS — HTTP Strict Transport Security — which instructs browsers to always use HTTPS for a given domain.

Weak cipher exploitation: TLS supports multiple cryptographic algorithms (ciphers). Older or misconfigured servers may support weak ciphers that can be broken. An attacker can sometimes force a connection to use a weaker cipher through a downgrade attack, then break the encryption.

Data format exploits: Malformed or deliberately crafted data in image, video, or document formats can exploit vulnerabilities in the parsing code that handles that data. These are sometimes called format string vulnerabilities or parser attacks.

Layer 7 — Application

Layer 7 is the Application layer. It is the topmost layer and the one closest to the user — it is where user-facing applications interact with the network. This is the layer you interact with every time you open a browser, send an email, or look up a domain name.

Importantly, Layer 7 does not refer to the application software itself (your browser, email client, etc.). It refers to the network protocols that application software uses to communicate over the network. HTTP — Hypertext Transfer Protocol — is a Layer 7 protocol. DNS — Domain Name System — is a Layer 7 protocol. Your browser is not a Layer 7 entity in the OSI sense; HTTP, which your browser uses, is.

What Layer 7 does:

Layer 7 provides the protocols that directly support end-user applications. These protocols define the specific rules for a given type of network communication: how a web page is requested, how an email is sent, how a domain name is looked up, how a file is transferred.

Key Application layer protocols:

HTTP — Hypertext Transfer Protocol — is the foundation of the World Wide Web. A browser uses HTTP to request resources (web pages, images, scripts) from a web server, and the server uses HTTP to respond. HTTP is stateless — each request/response pair is independent.

HTTPS — HTTP Secure — is HTTP with TLS encryption applied. It is the standard for any web communication that handles sensitive data.

FTP — File Transfer Protocol — allows files to be transferred between systems. FTP uses two connections: one for commands (port 21) and one for data (port 20 for active mode, a negotiated port for passive mode). Unencrypted FTP transmits credentials in plaintext. SFTP — SSH File Transfer Protocol — and FTPS — FTP Secure — are encrypted alternatives.

SMTP — Simple Mail Transfer Protocol — is the protocol for sending email between mail servers and from email clients to mail servers.

DNS — Domain Name System — translates human-readable domain names (like www.example.com) into IP addresses (like 93.184.216.34). DNS is covered in depth in its own file in this section.

SSH — Secure Shell — provides encrypted remote access to systems. It is the standard tool for remote administration of Linux and Unix systems.

SNMP — Simple Network Management Protocol — is used for monitoring and managing network devices.

LDAP — Lightweight Directory Access Protocol — is used for querying directory services such as Active Directory, which manages user accounts and permissions in Windows environments.

Security relevance of Layer 7 is enormous — application-layer attacks are the most common category of cyberattack by volume:

SQL injection: When a web application passes user input into a database query without proper sanitization, an attacker can modify the query's structure by including SQL — Structured Query Language — syntax in their input. This can expose data, modify records, or in some cases execute commands on the database server.

Cross-site scripting (XSS): An attacker injects malicious JavaScript code into a web page served by a legitimate site. When other users load the page, the malicious script runs in their browser, potentially stealing session cookies, redirecting them to phishing sites, or executing actions on their behalf.

DNS poisoning: An attacker inserts fraudulent records into a DNS cache, causing users who query that cache to receive false IP addresses for domain names. A user trying to reach their bank's website might be directed to an attacker-controlled server instead.

Phishing: Phishing is fundamentally a Layer 7 attack — it exploits the protocols used by email (SMTP) and web browsing (HTTP/HTTPS) to deliver deceptive content to users. The technical delivery mechanism is entirely at Layer 7.

Command injection: Similar to SQL injection, command injection occurs when user input is passed to a system command without proper sanitization, allowing an attacker to execute arbitrary commands on the server.

These application-layer attacks account for the majority of data breaches. The OWASP — Open Web Application Security Project — Top 10 list, which catalogs the most critical web application security risks, is almost entirely a list of Layer 7 attack categories.

How Data Actually Flows: Encapsulation and Decapsulation

Understanding the OSI layers individually is not enough — you also need to understand how they work together when data moves across a network.

When an application sends data, the data travels down through the layers from Layer 7 to Layer 1. At each layer, a header (and sometimes a trailer) is added to the data before it is passed to the layer below. This process is called encapsulation.

Here is what happens when you send an HTTP request from your browser to a web server:

Layer 7 (Application): Your browser formats the HTTP request — a structured text message saying "GET /index.html HTTP/1.1" followed by headers. This is the payload.

Layer 6 (Presentation): If HTTPS is being used, TLS encrypts the HTTP request. The payload is now encrypted.

Layer 5 (Session): The session layer manages the session context. For HTTPS, TLS also handles session negotiation here.

Layer 4 (Transport): TCP adds a header to the payload. The TCP header includes the source port (a randomly chosen number above 1023 assigned to your browser's connection), the destination port (443 for HTTPS), the sequence number (tracking where this data falls in the overall stream), and various control flags. The result is called a TCP segment.

Layer 3 (Network): IP adds a header to the TCP segment. The IP header includes your computer's source IP address and the server's destination IP address. The result is called an IP packet.

Layer 2 (Data Link): Ethernet adds a frame header containing the source MAC address (your computer's NIC) and the destination MAC address (typically your router, since the server is on a different network). A CRC trailer is added for error detection. The result is called an Ethernet frame.

Layer 1 (Physical): The frame is converted to electrical signals (for copper cable), light pulses (for fiber), or radio waves (for Wi-Fi) and transmitted over the medium.

On the receiving end, the process reverses — this is decapsulation:

Layer 1: The server's NIC receives the physical signals and reconstructs the bit stream.

Layer 2: The NIC reads the Ethernet frame, checks the CRC for errors, confirms the destination MAC address matches its own, strips the Ethernet header and trailer, and passes the IP packet up.

Layer 3: The IP stack reads the IP packet, confirms the destination IP address matches the server's, strips the IP header, and passes the TCP segment up.

Layer 4: TCP reads the segment, verifies the checksum, records the sequence number, sends an ACK back to the client, strips the TCP header, and passes the data up.

Layer 5: The session layer processes session management information.

Layer 6: TLS decrypts the payload and passes the plaintext HTTP request up.

Layer 7: The web server application receives the HTTP request and processes it.

Each layer is responsible only for its own header. Layer 3 does not look inside the TCP segment; Layer 4 does not examine the IP header. Each layer trusts the others to do their jobs correctly.

OSI in Practice: Troubleshooting and Security

Network engineers use OSI as a structured troubleshooting framework. When something is not working, you start at Layer 1 and work up (or start at Layer 7 and work down) to locate the problem:

  • Layer 1: Is the cable plugged in? Are the link lights on? Is the wireless signal strong enough?
  • Layer 2: Is the switch port active? Is the device's MAC address appearing in the switch's MAC table?
  • Layer 3: Is the device getting an IP address? Is the default gateway configured correctly? Can you ping the gateway?
  • Layer 4: Is the TCP port open? Is the service listening?
  • Layer 5–6: Is the session being established? Is TLS negotiating correctly?
  • Layer 7: Is the application responding correctly? Is the HTTP response code what you expect?

Security professionals use the same framework to understand attack surface. Every layer is a potential attack surface, and the appropriate defense depends on which layer is being attacked:

  • Physical layer defenses: Locked server rooms, tamper-evident seals, cable trays, physical intrusion detection
  • Data Link layer defenses: Port security on switches, 802.1X network access control, Dynamic ARP Inspection
  • Network layer defenses: Firewalls, ingress/egress filtering, IPsec (IP Security) encryption, route authentication
  • Transport layer defenses: Stateful firewalls, TCP SYN cookies, rate limiting
  • Session layer defenses: Strong session token generation, session timeout policies, re-authentication for sensitive actions
  • Presentation layer defenses: Enforcing TLS, disabling weak ciphers, HSTS
  • Application layer defenses: Input validation, prepared statements (for SQL injection), content security policies (for XSS), web application firewalls

The CISA advisory on Volt Typhoon — a nation-state threat actor assessed to be affiliated with the People's Republic of China — documents attacks that simultaneously targeted multiple OSI layers. The attackers used compromised network edge devices (Layer 3/Layer 4) to establish persistent access, used legitimate application-layer protocols to blend malicious traffic with normal traffic and avoid detection (Layer 7), and used valid credentials to operate within session and application layers as though they were legitimate users. This multi-layer approach is characteristic of sophisticated adversaries who understand the full stack — and it illustrates why defenders must too.

The Bottom Line

The OSI model divides network communication into seven layers, each with a specific responsibility: Physical (transmitting raw signals), Data Link (local network communication using MAC addresses), Network (routing between networks using IP addresses), Transport (end-to-end delivery using TCP or UDP, with ports identifying applications), Session (managing ongoing conversations), Presentation (translating, encrypting, and compressing data), and Application (the protocols that user-facing applications use). The model is a reference framework — not a rigid implementation — but it is the universal language for describing where in a communication system something happens. For security professionals, every layer represents an attack surface, and understanding which layer an attack targets determines which defenses apply.

Check Your Understanding

  1. A security analyst reports that an attacker is sending large numbers of TCP SYN packets to a web server but never completing the three-way handshake, causing the server to run out of resources for new connections. Which OSI layer is this attack targeting, and what characteristic of that layer makes the attack possible?

  2. When your browser sends an HTTPS request to a web server, data passes through all seven OSI layers on both the sending and receiving ends. What is the term for the process of adding headers at each layer on the sending side, and what is the term for the reverse process on the receiving side?

Something to Think About

  1. The OSI model separates network communication into seven layers specifically so that each layer can be changed or updated without affecting the others. In practice, though, attacks often target interactions between layers — for example, ARP spoofing involves manipulating Layer 2 to redirect Layer 3 traffic. What does this tell you about the limitations of thinking about security purely one layer at a time?

  2. Application-layer attacks like SQL injection and cross-site scripting account for the vast majority of data breaches, yet they exploit problems in how applications are written — not in the underlying network protocols. Given that developers often do not have a deep networking background, and network engineers often do not have a deep application development background, how do you think organizations should structure their security teams to cover the entire OSI stack effectively?

References

  1. Official Standard. ISO/IEC 7498-1:1994 — "Information technology — Open Systems Interconnection — Basic Reference Model". International Organization for Standardization. — The ISO standard that formally defines the OSI model and its seven layers.

  2. Official Specification. RFC 1122 — "Requirements for Internet Hosts — Communication Layers". Internet Engineering Task Force, October 1989. — Defines how the TCP/IP layers map to the OSI reference model and how internet hosts must behave at each layer.

  3. Official Guidance. NIST — "Guide to Enterprise Network Security". National Institute of Standards and Technology. — NIST guidance on applying layered security principles across the OSI stack in enterprise environments.

  4. Real-World Incident. CISA — "Advisory AA23-144A: Volt Typhoon Targets U.S. Critical Infrastructure". Cybersecurity and Infrastructure Security Agency, May 2023. — Documents attacks operating across multiple OSI layers simultaneously, illustrating why defenders need to understand the full protocol stack.

// share