Why Models Exist
Every time you load a webpage, your data travels across routers, switches, and cables — sometimes across entire oceans — before it reaches a server and comes back. Something has to coordinate all of that.
Networking models break the problem of "send data from here to there" into smaller, manageable pieces. Think of it like a shipping company. The driver doesn't need to know how the package was wrapped. The warehouse doesn't need to know the delivery route. Each part does its job and hands off to the next.
Two models describe this layering: TCP/IP and OSI. Both describe the same process — they just divide it up differently.
The TCP/IP Model (The One the Internet Actually Uses)
TCP/IP is the model that runs the internet. Four layers, practical, built around what actually happens when data moves across a network.
| Layer | Name | What It Does |
|---|---|---|
| 4 | Application | Where your apps live — HTTP, DNS, email protocols |
| 3 | Transport | Breaks data into chunks, ensures delivery — TCP and UDP |
| 2 | Internet | Handles addressing and routing — IP addresses live here |
| 1 | Network Access | The physical stuff — cables, Wi-Fi signals, Ethernet |
Application is where you interact with the network. When you type a URL, HTTP is an application-layer protocol. So is DNS, which translates that URL into an IP address.
Transport is where data gets packaged for delivery. TCP (Transmission Control Protocol) ensures every packet arrives and arrives in order — reliable but slower. UDP (User Datagram Protocol) fires and forgets — faster, no guarantees. Video calls use UDP. File downloads use TCP.
Internet is the addressing system. Every device has an IP address, and this layer figures out how to route your data through all the routers standing between you and your destination.
Network Access is the physical reality — the actual signal moving through a cable, Wi-Fi radio wave, or fibre optic strand. MAC addresses (hardware addresses burned into network cards) live here.
The OSI Model (The One You Study for Certs)
OSI stands for Open Systems Interconnection. It was designed as a universal standard in the 1980s. The internet ended up using TCP/IP instead, but OSI became the teaching model — and every major certification (Security+, CEH, CCNA) tests you on all seven layers.
| Layer | Name | What It Does |
|---|---|---|
| 7 | Application | User-facing protocols: HTTP, FTP, DNS, SMTP |
| 6 | Presentation | Data formatting, encryption, compression |
| 5 | Session | Opens, manages, and closes connections between devices |
| 4 | Transport | Segmentation, TCP/UDP, error checking |
| 3 | Network | IP addressing and routing |
| 2 | Data Link | MAC addresses, switches, frame error detection |
| 1 | Physical | Cables, signals, network hardware |
The extra layers — Presentation and Session — are where OSI gets more granular than TCP/IP. TLS encryption happens at Presentation. HTTPS session management happens at Session. In practice, TCP/IP rolls both of these into the Application layer. You just don't hear them called that outside of a study guide.
A mnemonic that actually sticks, top to bottom: All People Seem To Need Data Processing (Application, Presentation, Session, Transport, Network, Data Link, Physical).
How They Map to Each Other
| OSI Layer | TCP/IP Layer |
|---|---|
| Application (7) | Application |
| Presentation (6) | Application |
| Session (5) | Application |
| Transport (4) | Transport |
| Network (3) | Internet |
| Data Link (2) | Network Access |
| Physical (1) | Network Access |
TCP/IP collapses OSI's top three layers into one and the bottom two into one. Same process, fewer boxes.
Why This Matters for Security
Every layer is an attack surface. Knowing the model means knowing where an attack is hitting — and what kind of tool can stop it.
Layers 1–2 — Rogue access points, MAC spoofing, ARP poisoning. An attacker physically or logically inserting themselves between you and the network.
Layer 3 — IP spoofing, route hijacking. Manipulating the addressing system so traffic gets redirected somewhere it shouldn't go.
Layer 4 — SYN floods. Overwhelming a server with TCP handshake requests it opens but never completes, until it runs out of resources.
Layer 7 — SQL injection, XSS, phishing. Attacking the application itself. This is the most common category of attacks on the web today.
When a firewall is described as "Layer 7," it means it reads the actual content of traffic — not just addresses and ports. That's why a Layer 7 firewall can block SQL injection and a basic Layer 3/4 firewall can't.
Quick Reference
| TCP/IP | 4 layers — what the internet actually uses |
| OSI | 7 layers — the certification teaching model |
| Layer 7 | Application — where web attacks happen |
| Layer 4 | Transport — TCP (reliable) vs UDP (fast) |
| Layer 3 | Network — IP addresses and routing |
| Layers 1–2 | Physical + Data Link — cables, Wi-Fi, MAC addresses |