The importance of Defense in-depth and the Open System Interconnection (OSI) Layers

This blog provides a general overview on the importance of defense in-depth and how it is tied to the OSI Layers.

Defense in-depth is one of the components that fall under Information Assurance. There's a number of essential tasks that take place under this component. Many of the failures we see today across the implementation of the Risk Management Framework evolves around this component. In fact, more often than not, some of the OSI layers aren't secured correctly due to lack of guidance and/or incomplete guidance and they are not fully addressed on the security documentation. The roles under this component are imperative, for they are meant to help limit cyber attacks across the organization by leveraging existing technologies in order to minimize cost and limit the attack surface.

That is why,the Security Assessors under this component must be trained to perform the following tasks on a continuous basis:

  • Assess new or existing technologies to determine the risk they will introduce or currently have introduced into the organization and determine if the risk is deemed acceptable by management;
  • To maintain the organization's list of acceptable and unacceptable software, hardware, and firmware based on management's approval or disapproval;
  • To validate, or develop secure baselines to be used across the Enterprise for the technology and version identified impacting the various Open System Interconnection (OSI) Layers if approved;
  • To update all baselines whenever a new version of a particular software is introduced into the organization;
  • Assess systems to identify vulnerabilities and/or failures in the process prior to the systems undergoing the Accreditation process in order to ensure it stays within the organization's acceptable risk level and appetite (addressing only the OSI layers that fall within the system's boundary); and
  • Develop the Security Documentation (i.e., SAP, SAR, PO&AM) Reports and the Executive Summary of Issues delineating whether or not the system should be Accredited.

While not all task noted above requires the review of every single layer, the importance of each OSI layer plays a major role in the process and cannot be ignored. Each OSI layer has a very unique set of security requirements and is typically handled by a specific technology, sometimes one that is part of an existing technology (i.e., specific server role) that may have been assess at a general level, but not in-depth and which has a set of important configuration settings that must be secured in order for a particular OSI layer to be secured. So let's start with the basics...

What are the OSI Layers?

There's a total of seven (7) layers, which are a conceptual framework describing the functions of a networking and/or telecommunication system which is then used to guide vendors and developers responsible for creating new technologies ensure that they are interoperable, which means that they will be able to exchange information with each other as data is transmitted across each layer. It's meant to help personnel with network and telecommunication responsibilities narrow down any issues encountered to a particular layer, those helping ping-point where the issue/error may be occurring. When it comes to understanding defense in-depth, it's essential to grasp the various layers. The review of each starts from the last one, Layer 7 to Layer 1, but when troubleshooting is essential to start from Layer 1 and up.


Layer Description
Seven (7): Application In this layer, organizational users gain access to the organization's resources. It is where the end-user (i.e, Privileged or Non-Privilege) interacts with the application interface required for them to complete their day-to-day tasks.

It is the only layer that directly interacts with data provided by the user. The layer is responsible for the protocols and data manipulation on which software relies to present meaningful data to the user. Many of the issues we see today derives from failures in this layer, because they are not always properly secured, those making it easier for attackers to exploit. Denial of Service (DoS) attacks are common in this layer.

  • Protocol Data Unit (PDU): DATA
  • Common DoS Surface Attack(s): GET request, HTTP GET, HTTP POST, website forms (login, uploading, feedback submission)
  • DoS Impact: Availability of Resources are limited and/or rendered unavailable.
  • Components: Firewall, OS Layer and Associated Roles (i.e, Web/App Servers, Domain Servers, Email Servers.)

Six (6): Presentation In this Layer, the operating system is responsible for translating, encrypting or decrypting, and compressing the data being submitted by the end-user (i.e., Privilege or Non-Privilege). Due to the different encoding methods, this layer is responsible for translating incoming data into a syntax that can be understood by the receiving device. If this layer isn't configured correctly, it could lead to data leakage.

  • Protocol Data Unit (PDU): DATA
  • Common DoS Surface Attack(s): Malformed SSL Requests, SSL Hijacking, Man in-the-middle attacks
  • DoS Impact: Availability of SSL connections can be rendered unavailable, Messages in transit can be modified by adding or omitting data sent from one user to another.
  • Protocols: SSL, WPA, KERBEROS, MIME
  • Components: Firewall, OS Layer and Associated Roles (i.e, Web/App Servers, Domain Servers, Email Servers.)

Five (5): Session This layer is responsible for ensuring that communication between two or more systems comply with the termination settings set every time a connection is no longer required and/or has been idled for a specified time. It is also responsible for creating the session between the systems once authenticated. Failures in this layer can lead to an attacker gaining access to the system and acting as the individual's who's session was hijacked.

  • Protocol Data Unit (PDU): DATA
  • Common DoS Surface Attack(s): TELNET DDoS- vulnerabilities
  • DoS Impact: Personnel with Privilege Level responsibilities are prevented from performing switch management functions.
  • Protocols: Named Pipes, NetBIOS, SAP, RTP, SOCKS, TLS/SSL
  • Components: Firewalls, Gateways, OS Layer and Associated Roles (i.e, Web/App Servers, Domain Servers, Email Servers.)

Four (4): Transport This layer restricts the amount of data that can be transmitted from one system to another and incorporates a process for message delivery and error recovery. Failures in this layer can lead to an unauthorized amount of data being extracted within a short period of time. Something that can be identified when the systems are monitored, but which could go undetected if the organization doesn't have monitoring systems in place to keep track of large data extractions.

  • Protocol Data Unit (PDU): SEGMENT
  • Common DoS Surface Attack(s): SYN Flood, Smurf Attack
  • DoS Impact: Bandwidth or Connection Limits of host or networking equipment are flooded, those impacting Availability of Resources.
  • Protocols: TCP, UDP, SCTP
  • Components: Firewalls, Gateways

Three (3): Network This layer is responsible for ensuring that all data packets received by the component are valid and are routed to the correct system, those ensuring the intended target is reached. In addition, this layer is responsible for blocking packages that are submitted by a known malicious system. Failure to secure this layer can lead to malicious packages reaching mission critical and sensitive level systems to exploit existing vulnerabilities and gain entry into the organization's network.

  • Protocol Data Unit (PDU): PACKET
  • Common DoS Surface Attack(s): ICMP Flooding
  • DoS Impact: Bandwidth Limits of host or networking equipment are flooded, those impacting Availability of Resources and imposing extra load on the firewall.
  • Protocols: IPv4, IPv6, IPX, Apple Talk, OSPF, ICMP, ARPMP
  • Components: Firewalls, Router IP/IPX/ICMP, Web Proxies

Two (2): Datalink This layer allows communication between systems by organizing bits into frames and ensuring that they are properly routed across the layers. It ensures that components can communicate properly among each other and that its transmitted correctly over the physical medium (i.e., optic fiber, RJ45 cable). Failure to secure this layer can lead to data leakage and entry into the organization's network.

  • Protocol Data Unit (PDU): FRAME
  • Common DoS Surface Attack(s): MAC Flooding
  • DoS Impact: Disrupts the Sender to Recipient Data Flow--- across all ports, those impacting Availability and Performance.
  • Protocols: 802.11 (WLAN), Wi-Fi, WIMAX, ATM, Ethernet, Frame Relay, PPTP, ISDN-ore
  • Components: Switch, Bridge, Modems, Network Cards, 2-layer Switches, WAP PPP/SLIP, Wireless Devices

One (1): Physical This layer evolves around all of the physical components used for the data to be transmitted from one system to another. Hence, the network cables attached to your system and/or the internal wireless card that allow you to connect to your wireless network.

  • Protocol Data Unit (PDU): BITS
  • Hardware: Hubs, Repeaters, Cables, Optical Fiber, SONET/SDN, Coaxial Cable, Twisted Pair Cable and Connectors
  • Components: Hubs, Repeaters

What's the importance of understanding the OSI Layers as it relates to Defense in-depth?

Understanding the OSI Layers is essential for Defense in-Depth. As a security assessor and/or implementer, grasping where each component or technology being assess falls within the OSI layer will help grasp the areas that are properly secured to limit cyber attacks and the areas that are vulnerable in the stack and require additional attention. Emphasizing the importance of documenting the OSI layers when delineating the Security Assessment and review of Security Documentation created by the system's Information System Security Officer (ISSO) will help identify failures not typically identified by the ISSO or obvious to the Accreditation Management Team.

In fact, a well written report should clearly separate the layers (i.e., Network Layer, Application, Layer, DB Layer, Perimeter Device) clearly delineating the vulnerabilities identified and the responsible parties based on the components that fall within the boundary of the system being assess. This will provide a more clear view on the areas that should be prioritized when mitigation of findings takes place.

Interested on learning more? Contact US via our site form at 

NOTE: Due to security concerns, we limit our web content to bare bones. Please note that you will receive a response within forty-eight (48) hours or less.

By Karen Baez | on Tuesday, October 9 2018 00:16

Add a comment

HTML code is displayed as text and web addresses are automatically converted.

They posted on the same topic

Trackback URL :

This post's comments feed