Seven layers that define how data travels from an application on your screen down through the wire and back up on the other side. The universal language of networking.
The Open Systems Interconnection (OSI) model is a conceptual framework that standardizes network communication into 7 layers. Each layer has a specific function and communicates with the layers directly above and below it. It's not a physical thing you can touch — it's a mental model that helps you understand how data travels from one computer to another across a network.
Real-world analogy: Think of sending a letter internationally. You write it (Application), put it in an envelope (Presentation), track the shipping session (Session), the postal service guarantees delivery (Transport), they route it through cities (Network), the local postman delivers it to the right mailbox (Data Link), and the letter physically travels on a truck (Physical). Each step adds structure without the others needing to know the details.
Why it matters for cybersecurity: Attacks target specific layers. ARP spoofing is a Layer 2 attack. SQL injection is Layer 7. SYN floods target Layer 4. Knowing which layer an attack targets tells you which defenses to deploy. A firewall at Layer 3 won't stop an XSS attack at Layer 7.
Mnemonic (bottom-up): "Please Do Not Throw Sausage Pizza Away" | (top-down): "All People Seem To Need Data Processing"
The layer closest to you, the user. When you open a browser and visit a website, HTTP operates here. When you send an email, SMTP runs here. When you type a domain name, DNS resolves it at this layer. Protocols: HTTP/HTTPS, FTP, SMTP, DNS, SSH, SNMP. Security: WAFs protect here.
The "translator" layer. It converts data between formats the application understands and formats the network uses. Encryption (TLS) happens here — transforming plaintext into ciphertext. Also handles compression (reducing data size) and character encoding (ASCII, Unicode). Protocols: SSL/TLS, JPEG, PNG, ASCII, MPEG.
Establishes, manages, and terminates "sessions" — ongoing conversations between two applications. When you log into a website and stay logged in, a session is being managed. This layer handles authentication at the session level and can resume interrupted transfers. Protocols: NetBIOS, RPC, PPTP, SOCKS. Attack: Session hijacking (stealing a session token).
Responsible for end-to-end delivery between source and destination. TCP provides reliable, ordered delivery with error correction — used for HTTP, SSH, FTP. UDP provides fast, "fire-and-forget" delivery — used for DNS, streaming, gaming. Port numbers (0-65535) identify specific services. Attack: SYN flood DoS.
Handles logical addressing (IP addresses) and routing — determining the best path for packets to travel from source to destination across multiple networks. Routers operate here. Each router examines the destination IP and forwards the packet to the next hop. Protocols: IPv4, IPv6, ICMP, IPSec, OSPF, BGP.
Handles physical addressing (MAC addresses) and framing — wrapping packets into frames for transmission on the local segment. Switches operate here, forwarding frames to the correct port based on destination MAC. Error detection (CRC/FCS) ensures data wasn't corrupted in transit. Attack: ARP spoofing, MAC flooding.
The actual physical transmission of raw bits (0s and 1s) over a medium. This includes Ethernet cables (Cat5e, Cat6), fiber optic cables, Wi-Fi radio signals, Bluetooth, and even light pulses. A hub operates at Layer 1 (it just rebroadcasts electrical signals). Physical security matters here — an attacker with physical access to cables can tap them.
You type https://example.com in
your browser. Here's what happens at each layer:
GET / HTTP/1.1 Host: example.comThe router strips the Layer 2 frame, reads the Layer 3 packet destination, creates a new frame for the next hop, and forwards it. This process repeats at every router until the packet reaches example.com's server, where it's de-encapsulated layer by layer back up to Layer 7.
As data moves down the stack from application to physical, each layer wraps it with its own header (and sometimes trailer). This process is called encapsulation. Think of it like putting a letter in an envelope, then putting that envelope in a box, then putting the box on a truck.
On the receiving end, the process reverses — each layer strips its header and passes the payload up. This is called de-encapsulation. Each layer's data unit has a specific name (PDU):
| Layer | PDU Name | Added Info | Key Protocols |
|---|---|---|---|
| 7-5 | Data | Application payload | HTTP, DNS, SMTP, SSH |
| 4 | Segment / Datagram | Src/Dest Port, Seq # | TCP, UDP |
| 3 | Packet | Src/Dest IP, TTL | IPv4, IPv6, ICMP |
| 2 | Frame | Src/Dest MAC, FCS | Ethernet, Wi-Fi, ARP |
| 1 | Bits | Electrical/light signals | Cat6, Fiber, 802.11 |
Every layer has its own vulnerabilities. Understanding which layer an attack targets determines which defense mechanism you need. A Layer 3 firewall won't stop a Layer 7 SQL injection — you need a WAF for that.
Attacks: Physical cable tapping (splicing fiber/copper to intercept data), signal jamming (Wi-Fi deauth, Bluetooth interference), device theft, keyloggers. Defenses: Physical access control (locked server rooms, cameras), cable shielding, wireless encryption (WPA3), port security on switches.
Attacks: ARP spoofing (redirect traffic via fake ARP replies), MAC flooding (overflow switch CAM table), VLAN hopping (escape VLAN isolation), STP attacks (manipulate spanning tree to become root bridge). Defenses: 802.1X (port-based authentication), DAI, DHCP snooping, port security, BPDU guard.
Attacks: IP spoofing (forging source IP), ICMP redirect (reroute traffic), route poisoning (inject false routes into BGP/OSPF), IP fragmentation attacks. Defenses: IPSec (encrypted tunnels), ACLs on routers, ingress/egress filtering, routing protocol authentication.
Attacks: SYN flood (exhaust server connection table), port scanning (discover open services with Nmap), UDP flood (overwhelm with connectionless traffic). Defenses: Stateful firewalls, SYN cookies, rate limiting, TLS encryption.
Attacks: Session hijacking (stealing session tokens/cookies), session fixation (forcing a known session ID), SSL stripping (downgrading HTTPS to HTTP via MitM), encoding-based attacks (exploiting character set conversions). Defenses: Secure session management, HSTS headers, certificate pinning, strong TLS configuration.
Attacks: XSS (inject scripts into web pages), SQL injection (manipulate database queries), CSRF (trick users into unwanted actions), phishing, DNS spoofing. Defenses: WAFs, input validation, output encoding, CSP headers, secure coding practices.
In the real world, most networks use the TCP/IP model (4 layers), not the OSI model (7 layers). However, OSI is still the standard for understanding and discussing networking concepts. Here's how they map:
Click any layer to expand it and see protocols, devices, and attacks. Then watch the encapsulation animation!
All certification names are referenced for educational purposes only. This project is not affiliated with any certification body.