The Open Systems Interconnect (OSI) model is a standard reference model for the communication between two end users. Seven different layers make up the OSI model: physical, data link, network, transport, session, presentation, and application. This paper will cover the type of security that is associated with each level of the OSI model.
The physical layer is where the actual communication occurs between devices. The security of the physical layer pertains to the actual hardware. The vulnerabilities of the physical layer include: Power outage
Environmental control loss
Hardware theft, damage or destruction
Unauthorized hardware changes (i.e.; removable media, data connections) Detachment of the physical data links
Unnoticeable Data Interception
Certain measures can be implemented to ensure the physical layer is secure. This would be done by storing all hardware in a locked environment. The use of electronic locks would control and log all access to the room containing the hardware. The electronic locks could be a PIN and password or fingerprint scanner (biometrics). The use of video and audio surveillance would provide physical proof of unauthorized access that could compromise the hardware.
Data Link Layer
The second layer of the OSI model is the data link layer. This is the layer that transports the data between network nodes in a wide area network (WAN) or on the same local area network (LAN) between nodes. The data link layer makes available the procedural and functional means to move data between network devices and could provide the measures to find and possibly correct errors that may occur in the physical layer. The security vulnerabilities associated with the data link layer are: One device may claim to be a different device by spoofing the MAC address Spanning Tree errors could be introduced either accidental or on purpose causing packets to transmit in infinite loops. Switches could flood all traffic to the VLAN ports and not forward to the proper port. This could result in data being intercepted by any device that is connected to the VLAN. Stations could be force direct communication with other stations which ends up bypassing subnets and firewalls. Weak authentication and encryption on a wireless network could allow for unauthorized connections to the network, data and devices.
Data link layer controls can be implemented to ensure the security of the transmissions. By using MAC address filtering the stations are identified by not only the MAC address but are cross-referenced with the logical access or physical port. Firewalls should be between layers, ensuring physical isolation from one another. Wireless application must be monitored consistently and carefully for unauthorized access. In order to secure the wireless network, the use of the built-in encryption, authentication, and MAC filtering must be implemented with strong passwords.
The third layer of the OSI model is the network layer. This layer is responsible for end to end packet delivery. The network layer issues request to the data link layer and responds to requests from the transport layer and issues requests to the data link layer. The procedural and functional process of sending different length data sequences from a source to a destination by one or more networks while ensuring the quality of service and error control functions are all processed by the network layer. Since the network layer handles the transmission of data some securities issues are present. Three securities are: Route spoofing
IP Address Spoofing
Identity and Resource ID Vulnerability
By ensuring strong route policy controls and the use of strict anti-spoofing and route filters the network is protected route spoofing. A firewall should be set up not only between the network and the outside world but also between the different VLANs. The firewall will filter out route and IP address spoofing. The network should also have ARP/Broadcast monitoring software and configured to minimize the ability to abuse protocol features.
The transport layer is the fourth layer of the OSI model and is involved with transporting data streams. The transport layer receives the data streams from the upper layers of the model, packages the streams for transport and transmits them to the lower layer. When data is received from the lower layers, the packets are reassembled and passed back into a stream for the upper layers. Transport protocols are designed to ensure data was completely received at the destination using the TCP protocol. If the reduction of overhead is required and best efforts of delivery is needed then the UPD protocol is used. Since the transport layer deals with the transportation of the data streams some security weaknesses to keep in mind are (Reed, 2003): Mishandling of undefined, poorly defined, or "illegal" conditions Differences in transport protocol implementation allow "fingerprinting' and other enumeration of host information Overloading of transport-layer mechanisms such as port numbers limit the ability to effectively filter and qualify traffic. Transmission mechanisms can be subject to spoofing and attack based on crafted packets and the educated guessing of flow and transmission values, allowing the disruption or seizure of control of communications.
In order to close off these weaknesses, certain rules and processes needs to be implemented. Within the firewall, rules should be set limiting access to a certain number of transmission protocol and sub-protocol information. This information includes TCP/UDP port number or ICMP type. At the firewall layer, stateful inspection is used to prevent out-of-state packets, "illegal" flags, and other fake packet profiles from entering the network. Also, strong transmission and layer session identification methods are needed to stop attacks.
The fifth layer of the OSI model is the session layer. This layer covers the organization of the data communication into logical processes. The session layer receives the send data requests from the higher layers and organizes the beginning and ending of communication with the receiving host. The session layer then hands over its data process to the transport layer where the transmission starts. Session protocols deal with a number of different issues including access accessibility, permitting local applications to discover and connect to remote services, and advertising services to remote clients with successive requests to connect. Some security issues with the session layer is: Weak or nonexistent authentication mechanisms
Clear text transfer of session credentials including user ID and password. Failed authentication attempts could lead to information being leaked. Brute-force attack on accounts
To prevent the above security issues encrypted password exchange and storage should be used. All accounts should be set up to expire after a certain amount of time and a time out mechanism for failed session attempts.
The presentation layer deals with the organization of data passed from the application layer to the network. This layer allows for the standardization of data and the communication of data between different hosts. The presentation layer can also control network-layer enhancements such as compression or encryption. Some vulnerabilities with regard to the presentation layer are (Reed, 2003): Poor handling of unexpected input can lead to application crashes or surrender of control to execute arbitrary instructions. Unintentional or ill-advised use of externally supplied input in control contexts may allow remote manipulation or information leakage. Cryptographic flaws may be exploited to circumvent privacy protections
Steps to ensure the security of the presentation layer can be achieved by carefully checking the receipt of incoming input in applications. Input should be checked before being transferred into any function that uses input to control processes. To prevent cryptographic flaws, the constant review of solutions must be performed to guarantee the security.
The seventh and final layer of the OSI model is the application layer. This layer works with the programs which uses the network and the resources. The application layer is what the user sees and interacts with when working on the network. Any and all functions that do not directly pertain to the network happen at this layer. Some of the security issues that can occur at the application layer are (Reed, 2003): Open design issues allow free use of application resources by unintended parties Backdoors and application design flaws bypass standard security controls Inadequate security controls force "all-or-nothing" approach, resulting in either excessive or insufficient access. Overly complex application security controls tend to be bypassed or poorly understood and implemented. Program logic flaws may be accidentally or purposely used to crash programs or cause undesired behavior. To control issues that could arise at the application layer, access controls should be defined and enforced for application resources. The controls should be well defined and straightforward to prevent any complexity issues. There should also be a standard for testing and review of application code. This is done with a baseline to measure the application implementation. Finally, by setting up a host-based firewall system that can regulate traffic based on the application. This is to stop any unauthorized use of the network.
In conclusion, the information covered in this paper shows the different types of security that is associated with each level of the standard OSI model. From the physical layer to the application layer, each layer has a different type of security which must be applied at each layer to prevent any security leaks, spoofing, and infinite loops. These are just a few of the different vulnerabilities that must be protected on a WLAN or LAN. References
Reed (November 21, 2003). Applying the OSI seven layer model to Information Security. Retrieved on January 11, 2008, from SANS Institute. Website: http://www.sans.org/reading_room/whitepapers/protocols/1309.php
Haden (2008). The OSI Model. Retrieved on January 11, 2008, from Data Network Resource. Website: http://www.rhyshaden.com/osi.htm