Osi Security

Abstract

The Open Systems Interconnect (OSI) model is a standard reference model for the communication between two end users. Seven different layers make up the OSI model: physical, data link, network, transport, session, presentation, and application. This paper will cover the type of security that is associated with each level of the OSI model.

Physical Layer

The physical layer is where the actual communication occurs between devices. The security of the physical layer pertains to the actual hardware. The vulnerabilities of the physical layer include:

* Power outage

* Environmental control loss

* Hardware theft, damage or destruction

* Unauthorized hardware changes (i.e.; removable media, data connections)

* Detachment of the physical data links

* Unnoticeable Data Interception

* Keystroke Logging

Certain measures can be implemented to ensure the physical layer is secure. This would be done by storing all hardware in a locked environment. The use of electronic locks would control and log all access to the room containing the hardware. The electronic locks could be a PIN and password or fingerprint scanner (biometrics). The use of video and audio surveillance would provide physical proof of unauthorized access that could compromise the hardware.

Data Link Layer

The second layer of the OSI model is the data link layer. This is the layer that transports the data between network nodes in a wide area network (WAN) or on the same local area network (LAN) between nodes. The data link layer makes available the procedural and functional means to move data between network devices and could provide the measures to find and possibly correct errors that may occur in the physical layer. The security vulnerabilities associated with the data link layer are:

* One device may claim to be a different device by spoofing the MAC address

* Spanning Tree errors could be introduced either accidental or on purpose causing packets to transmit in infinite loops.

* Switches could flood all traffic to the VLAN ports and not forward to the proper port. This could result in data being intercepted by any device that is connected to the VLAN.

* Stations could be force direct communication with other stations which ends up bypassing subnets and firewalls.

* Weak authentication and encryption on a wireless network could allow for unauthorized connections to the network, data and devices.

Data link layer controls can be implemented to ensure the security of the transmissions. By using MAC address filtering the stations are identified by not only the MAC address but are cross-referenced with the logical access or physical port. Firewalls should be between layers, ensuring physical isolation from one another. Wireless application must be monitored consistently and carefully for unauthorized access. In order to secure the wireless network, the use of the built-in encryption, authentication, and MAC filtering must be implemented with strong passwords.

Network Layer

The third layer of the OSI model is the network layer. This layer is responsible for end to end packet delivery. The network layer issues request to the data link layer and responds to requests from the transport layer and issues requests to the data link layer. The procedural and functional process of sending different length data sequences from a source to a destination by one or more networks while ensuring the quality of service and error control functions are all processed by the network layer. Since the network layer handles the transmission of data some securities issues are present. Three securities are:

* Route spoofing

* IP Address Spoofing

* Identity and Resource ID Vulnerability

By ensuring strong route policy controls and the use of strict anti-spoofing and route filters the network is protected route spoofing. A firewall should be set up not only between the network and the outside world but also between the different VLANs. The firewall will filter out route and IP address spoofing. The network should also have ARP/Broadcast monitoring software and configured to minimize the ability to abuse protocol features.

Transport Layer

The transport layer is the fourth layer of the OSI model and is involved with transporting data streams. The transport layer receives the data streams from the upper layers of the model, packages the streams for transport and transmits them to the lower layer. When data is received from the lower layers, the packets are reassembled and passed back into a stream for the upper layers. Transport protocols are designed to ensure data was completely received at the destination using the TCP protocol. If the reduction of overhead is required and best efforts of delivery is needed then the UPD protocol is used. Since the transport layer deals with the transportation of the data streams some security weaknesses to keep in mind are (Reed, 2003):

* Mishandling of undefined, poorly defined, or "illegal" conditions

* Differences in transport protocol implementation allow "fingerprinting' and other enumeration of host information

* Overloading of transport-layer mechanisms such as port numbers limit the ability to effectively filter and qualify traffic.

* Transmission mechanisms can be subject to spoofing and attack based on crafted packets and the educated guessing of flow and transmission values, allowing the disruption or seizure of control of communications.

In order to close off these weaknesses, certain rules and processes needs to be implemented. Within the firewall, rules should be set limiting access to a certain number of transmission protocol and sub-protocol information. This information includes TCP/UDP port number or ICMP type. At the firewall layer, stateful inspection is used to prevent out-of-state packets, "illegal" flags, and other fake packet profiles from entering the network. Also, strong transmission and layer session identification methods are needed to stop attacks.

Session