Why networking needs standards
In the early days of networking, each vendor built proprietary systems that couldn't talk to anyone else's. IBM's equipment spoke one language, DEC's another. If you bought hardware from two different companies, there was a real chance they simply wouldn't communicate. The International Organization for Standardization stepped in with a fix: in 1984 they published the Open Systems Interconnection model, a framework that breaks network communication into seven layers so that any two devices, anywhere in the world, from any manufacturer, can exchange data using the same rulebook.
Today's internet runs on TCP/IP rather than OSI directly, but the model still shapes how engineers, analysts and developers think about networks. When something breaks, the OSI stack tells you where to look. When an attack happens, it tells you which tool can stop it.
The seven layers at a glance
Each layer has one job. It takes data from the layer above, adds whatever information it needs to do its job, and hands it down. On the receiving side the whole process runs in reverse.
| Layer | Name | Data unit | What it does |
|---|---|---|---|
| 7 | Application | Data | User-facing services HTTP, DNS, SMTP, SSH |
| 6 | Presentation | Data | Encryption, compression, data format translation |
| 5 | Session | Data | Opens, manages and closes conversations between apps |
| 4 | Transport | Segment / Datagram | End-to-end delivery TCP for reliability, UDP for speed |
| 3 | Network | Packet | Routing between networks using IP addresses |
| 2 | Data Link | Frame | Local delivery within a network using MAC addresses |
| 1 | Physical | Bit | Raw signals, copper, fibre, radio waves |
A quick mnemonic for top to bottom: All People Seem To Need Data Processing.
Why this matters for security
Every attack lands somewhere on this stack. Knowing which layer is targeted immediately tells you which tool to reach for and where in the logs to look.
| Security event | Primary layer |
|---|---|
| SQL Injection | Layer 7: Application |
| Session Hijacking | Layer 5: Session |
| SYN Flood | Layer 4: Transport |
| IP Spoofing | Layer 3: Network |
| ARP Spoofing | Layer 2: Data Link |
| Cable Tampering | Layer 1: Physical |
Layer 7: Application
This is the layer you actually interact with. Browsers, email clients, SSH terminals, they all live here. The Application Layer isn't the app itself; it's the set of protocols that give apps a way to talk over a network.
When you type a URL and press Enter, your browser creates an HTTP request at this layer and passes it down. It doesn't care about routing or cables, those are someone else's problem lower in the stack.
| Protocol | Port | Purpose |
|---|---|---|
| HTTP | 80 | Web pages |
| HTTPS | 443 | Encrypted web communication |
| DNS | 53 | Domain name resolution |
| SMTP | 25 / 587 | Sending email |
| SSH | 22 | Secure remote administration |
| FTP | 20 / 21 | File transfer |
| IMAP | 143 | Email synchronisation |
| RDP | 3389 | Remote desktop |
Common attacks at Layer 7
SQL Injection, an attacker inserts SQL commands into a web form. If the app passes that input directly to the database without sanitising it, the attacker can read, modify or delete data they were never meant to touch.
Cross-Site Scripting (XSS), malicious JavaScript is injected into a page and then executed in other users' browsers, often to steal session cookies or redirect victims to phishing sites.
CSRF, a logged-in user is tricked into submitting an action they didn't intend (like a bank transfer) because their browser automatically includes their session cookie with every request.
Defences: input validation, parameterised queries, Content Security Policy, WAFs, MFA, and keeping software patched.
Layer 6: Presentation
If the Application Layer is what you say, the Presentation Layer is the language you say it in. It handles three things: translating data into a format both sides understand (character encoding, file formats), compressing it to reduce size, and encrypting it so nobody in the middle can read it.
In practice, TLS does most of the heavy lifting here. Before any application data flows, a TLS handshake negotiates the encryption algorithms, verifies the server's identity via its digital certificate, and derives session keys. From that point on, everything is encrypted.
Common attacks at Layer 6
SSL Stripping, an attacker positioned between the user and the server downgrades the HTTPS connection to plain HTTP, making all traffic readable. HTTP Strict Transport Security (HSTS) is the main defence.
Weak cipher exploitation, older algorithms like MD5 or RC4 can be cracked. Organisations should disable legacy TLS versions and only allow modern cipher suites.
Certificate spoofing, a fraudulent certificate is presented to the client. Browsers catch most of these, but users who click through certificate warnings undo that protection entirely.
Layer 5: Session
Sessions answer a simple question: once a connection is established, how does each side know the conversation is still ongoing? The Session Layer opens a dialogue, keeps it organised while data flows back and forth, and closes it cleanly when done.
The OSI Session Layer as originally defined doesn't appear as a distinct protocol in modern TCP/IP networks, its responsibilities get absorbed into the Application Layer through things like HTTP cookies, session tokens, and TLS session resumption. But the concept is important because sessions are high-value targets.
Common attacks at Layer 5
Session Hijacking, an attacker steals a valid session token, often via XSS or packet sniffing, and uses it to impersonate the legitimate user without needing their password.
Session Fixation, the attacker forces a victim to use a session ID they already know. If the application doesn't issue a fresh session ID after login, the attacker can authenticate as the victim.
Defences: regenerate session IDs on login, use short timeouts, mark cookies as Secure and HttpOnly, and always send session tokens over HTTPS.
Layer 4: Transport
The Transport Layer decides two things for every conversation: how reliable does delivery need to be, and which application on each device is actually talking? It answers the first question by choosing between TCP and UDP, and the second using port numbers.
| TCP | UDP | |
|---|---|---|
| Connection | Connection-oriented (three-way handshake) | Connectionless |
| Reliability | Guaranteed delivery, ordered, retransmitted if lost | No guarantees |
| Speed | Higher overhead | Very fast, low overhead |
| Use cases | Web, email, file transfer | DNS, VoIP, video streaming, gaming |
TCP establishes a connection through a three-way handshake: the client sends SYN, the server replies SYN-ACK, the client confirms with ACK. Only after this exchange does application data start flowing.
Common attacks at Layer 4
SYN Flood, an attacker sends thousands of SYN packets but never completes the handshake, leaving the server holding half-open connections until its resources run out. SYN cookies and rate limiting are the standard defences.
Port Scanning, systematically probing ports to discover which services are running. Not an attack by itself, but a common first step in reconnaissance.
UDP Flood, overwhelming a target with connectionless UDP traffic to exhaust bandwidth or processing capacity.
Layer 3: Network
The Network Layer is responsible for getting a packet from your device to one on the other side of the planet. It does this through logical addressing (IP addresses) and routing, routers examine the destination IP, consult their routing tables, and forward the packet one hop closer to its destination. This repeats across every router along the path.
Each hop, the router strips the old Layer 2 frame, examines the Layer 3 packet, builds a new frame for the next link, and sends it on. The IP packet itself stays largely intact end-to-end, except for the TTL field which decrements by one at each hop to prevent packets looping forever.
Common attacks at Layer 3
IP Spoofing, forging the source IP address to disguise the true origin of traffic, used to evade access controls or amplify denial-of-service attacks.
BGP Hijacking, injecting false routing information so traffic destined for a legitimate network gets misdirected, potentially through the attacker's infrastructure.
ICMP Floods, overwhelming a target with ping requests. Less common today but still seen in volumetric DDoS campaigns.
Layer 2: Data Link
Before a packet can go anywhere, even to the router a few feet away, it needs to be wrapped in a frame and delivered across the local network segment. The Data Link Layer handles this using MAC addresses rather than IP addresses, because at this level we're only worried about the immediate next hop, not the final destination.
Switches operate here. When a frame arrives, the switch reads the destination MAC address, looks it up in its MAC address table, and forwards the frame only to the correct port. This is far more efficient than older hubs, which blindly repeated every signal out every port.
Common attacks at Layer 2
ARP Spoofing, an attacker sends forged ARP replies associating their MAC address with the gateway's IP. Victims update their ARP cache and unknowingly route traffic through the attacker, a classic man-in-the-middle setup.
MAC Flooding, flooding a switch with fake source MAC addresses to exhaust its address table. Some switches fail open when full, broadcasting all traffic to every port and letting the attacker sniff conversations they shouldn't see.
VLAN Hopping, exploiting misconfigured trunk ports to send traffic across VLAN boundaries without going through a router.
Layer 1: Physical
Every layer above this one is software. Layer 1 is where digital communication meets physical reality, copper cables carrying electrical pulses, fibre optic strands carrying light, or radio waves for wireless. The Physical Layer defines the connectors, voltage levels, frequencies and signal encoding that allow bits to actually move between devices.
Common attacks at Layer 1
Wiretapping, physically tapping a cable to intercept the raw signal. Fibre is harder to tap than copper without introducing detectable signal loss.
Rogue Access Points, an attacker connects an unauthorised wireless access point to the network, bypassing access controls, or sets up a fake access point to intercept nearby traffic.
Signal Jamming, flooding a wireless frequency with noise to disrupt legitimate communication.
Defences: locked wiring closets, tamper-evident cabling, 802.1X port authentication, wireless intrusion detection, and disabling unused switch ports.
Putting it together
A firewall filtering by IP address works at Layer 3. An intrusion detection system watching TCP behaviour works at Layer 4. A web application firewall inspecting HTTP requests works at Layer 7. None of these tools sees the full picture on its own, which is why security requires controls at every layer, not just one.
The next part of this write-up follows a real web request from your keyboard to a web server and back, showing each of these layers in action.