FUNCTIONS

• Connection & termination to media.

• Modulation – conversion of digital data to signals

Points 2 rememberParallel SCSI buses operate in this layer

PS: Logical SCSI protocol is transport layer protocol & runs over this busDATA UNIT: BIT

VULNERABILITIES• Van Eck Phreaking -- remote eavesdropping on the

signals in CRT or VDT

• Loss of Power &/or Environmental Control

• Physical Theft, Damage or Destruction of Data And Hardware

• Unauthorized changes to the functional environment (data connections, removable media, adding/removing resources)

• Disconnection of Physical Data Links• Undetectable Interception of Data• Keystroke & Other Input Logging

CONTROLS• Locked perimeters and enclosures

• Electronic lock mechanisms for logging & detailed authorization

• Video & Audio Surveillance

• PIN & password secured locks

• Biometric authentication systems

• Data Storage Cryptography

• Electromagnetic Shielding

FUNCTIONS

• physical addressing; Bridges, Layer 2 Switches

• network topology

• line discipline (how end systems will use the network link)

• error notification

• ordered delivery of frames

Points 2 rememberFlow control using selective repeat Sliding Window Protocol.

Arrange bits into logical sequences called framesDATA UNIT: FRAMES

MAC LAYER

• Connections b/w applications running on a LAN• flow control to the upper layer by means of ready/not ready codes• sequence control bits.

LLC LAYER

• Provides orderly access to the LAN medium.

• defines a hardware, or data-link address called the "MAC address"

VULNERABILITIES• War-driving – traveling around public areas & randomly accessing

802.11 wireless access points with lax or default security settings

• MAC Address /ARP Spoofing

• VLAN circumvention

• Spanning Tree errors

• Switches– VLAN trunking protocol vulnerabilities

– negotiate access to multiple VLANs

-- VLAN traffic flooding

Points 2 rememberWardriving is layer 1 & 2 vulnerability

CONTROLS• MAC Address Filtering- Identifying stations

by address and cross-referencing physical port or logical access

• Do not use VLANs to enforce secure designs. Physically isolated from one another, with policy engines such as firewalls between.

• Wireless applications must be carefully evaluated for unauthorized access exposure.

FUNCTIONS

• Quality of service requested by the Transport Layer

• Routing

• Path determination

• Devices:-

– IP, IPX, Routers, Routing Protocols

(RIP, IGRP, OSPF, BGP etc.), ARP, RARP, ICMP.

Points 2 rememberMight perform fragmentation and reassembly, and report delivery errors.

DATA UNIT: PACKET

VULNERABILITIES

• Route spoofing - propagation of false network topology

• IP Address Spoofing- false source addressing on malicious packets

• Identity & Resource ID Vulnerability - Reliance on addressing to identify resources and peers can be brittle and vulnerable

CONTROLS

• Route policy controls - Use strict anti-spoofing and route filters at network edges

• Firewalls with strong filter & anti-spoof policy

• ARP/Broadcast monitoring software

• Implementations that minimize

the ability to abuse protocol features

such as broadcast

FUNCTIONS• Multiplexing upper layer applications the establishment,

maintenance, and orderly termination of virtual circuits

• Sequencing – Acknowledgements &Flow Control (Windowing)

• Transport fault detection andrecovery

• Tunneling protocol operate atthe Transport Layer

Points 2 rememberPerform segmentation and reassembly, and report delivery errors.

DATA UNIT: SEGMENT

VULNERABILITIES

• Mishandling of undefined, poorly defined, or “illegal” conditions

• Differences in transport protocol implementation allow “fingerprinting’ and other enumeration of host information

• Overloading of transport-layer mechanisms such as port numbers limit the ability to effectively filter and qualify traffic.

• Transmission mechanisms can be subject to spoofing

CONTROLS

• Strict firewall rules limiting access to specific Transmission protocols & subprotocol information such as TCP/UDP port number or ICMP type

• Stateful inspection at firewall layer, preventing out-of-state packets “illegal”flags & other phony packet profiles from entering the perimeter

• Stronger transmission and layer sessionIdentification mechanisms to prevent the attack and takeover of communications

FUNCTIONS• Control i.e. establishes, manages and terminates

dialogues or "sessions“

• Establishes checkpointing, adjournment, termination, and restart procedures

• Dialogs can be– simplex (one-way)– half-duplex (alternate)– full-duplex (bi-directional)

Points 2 rememberImplemented explicitly in application environments that use remote procedure calls.

DATA UNIT: SPDU

VULNERABILITIES• Weak or non-existent authentication mechanisms

• Passing of session credentials such as user ID and password in the clear,allowing intercept and unauthorized use

• Session identification may be subject to spoofingand hijack

• Leakage of information based on failed authentication attempts

• Unlimited failed sessions allow brute-force attacks on access credentials

CONTROLS

• Encrypted password exchange and storage

• Accounts have specific expirationsfor credentials and authorization

• Protect session identification information via cryptographicrandom means

• Limit failed session attempts via timing mechanism, not lockout

FUNCTIONS• Mapping different syntax and semantics

• Formats and encrypts data to be sent across a network.

• Serialization of objects & data structures

• Data Compression, Encryption

Points 2 rememberAlso called as SYNTAX LAYER.

DATA UNIT: PPDU

VULNERABILITIES

• Poor handling of unexpected input can lead to execute arbitrary instructions.

• Unintentional or ill-advised use of externally supplied input in control contexts may allow remote manipulation or information leakage.

• Cryptographic flaws may be exploited to circumvent privacy protections

Points 2 rememberFormat String Vulnerability & Buffer Overflow

DATA UNIT: PPDU

CONTROLS

• Careful specification and checking of received inputincoming into applications or library functions

• Separation of user input and program

control functions

– sanitized input

• Careful and continuous review

of cryptography solutions

FUNCTIONS• Provides a set of interfaces for applications to

obtain access to networked services

• End-user interface

• Performing input to and output from mass storage devices.

• Transferring information to hosts

Points 2 rememberFTP ,SMTP, Telnet, HTTP, DNS work here

DATA UNIT: APDU

VULNERABILITIES• Open design issues allow free use of application resources by unintended

parties

• Backdoors and application design flaws bypass standard security controls

• Inadequate security controls force “all-or-nothing” approach, resultingin either excessive or insufficient access.

• Overly complex application security controls tend to be bypassed or poorlyunderstood and implemented.

• Program logic flaws may be accidentally or purposely used to crash programs or cause undesired behaviour

CONTROLS• Application level access controls to define and enforce

access to application resources. Controls must be detailed, flexible, straightforward.

• Standards, testing, and review of application code and functionality-A baseline.

• IDS systems to monitor application activity

• Host-based firewall systems can regulate traffic by application, preventing unauthorized or covert use of the network

REFERENCES

www.sans.org

http://en.wikipedia.org/wiki/OSI_model

E-booksApplying-osi-layer-network-model-information-security_1309

osi-model-overview_543

understanding-security-osi-model_377