The OSI Model
The OSI model is the single most useful map in all of networking. It breaks the messy business of “how computers talk” into 7 tidy layers. Once you can picture the layers, you can picture exactly where every attack happens and every defence lives.
Introduction — what is the OSI model?
OSI stands for Open Systems Interconnection. It is a conceptual model (a way of thinking, not a physical thing) that describes the journey your data takes in 7 layers, from the app you're using all the way down to the electrical signals on the wire, and back up again on the other side.
The 7 layers, top to bottom
A famous memory trick (mnemonic) reads the layers from top (7) to bottom (1): “All People Seem To Need Data Processing.”
| # | Layer | Job (in plain words) | Real example | Data is called |
|---|---|---|---|---|
| 7 | Application | The stuff you actually see and use | Web browser, email, WhatsApp (HTTP, DNS) | Data |
| 6 | Presentation | Translating & encrypting so both sides understand | SSL/TLS, JPEG, character encoding | Data |
| 5 | Session | Starting, managing and ending conversations | Keeping you logged in | Data |
| 4 | Transport | Reliable delivery & port numbers | TCP, UDP | Segment |
| 3 | Network | Addressing & choosing the route between networks | IP addresses, routers | Packet |
| 2 | Data Link | Delivery within one local network | MAC addresses, switches | Frame |
| 1 | Physical | The actual signals: cables, radio, light | Ethernet cable, Wi-Fi radio | Bits |
Layer 1 — Physical (the road itself)
The raw, physical connection: copper cables, fibre-optic light, Wi-Fi radio waves. It deals only in bits — 1s and 0s as electricity, light, or radio.
Analogy: the tarmac road the trucks drive on. Security angle: cutting a cable, or someone plugging a rogue device into a wall socket, is a Layer 1 attack.
Layer 2 — Data Link (delivery within the building)
Moves data between two directly-connected devices using MAC addresses. Switches live here. Data is packaged into frames.
Analogy: the mail sorter inside one office building. Security angle: MAC spoofing and ARP poisoning (tricking devices about who's who) are Layer 2 attacks — the classic “man-in-the-middle” starts here.
Layer 3 — Network (choosing the route between cities)
Handles IP addresses and decides the best path across many networks. Routers live here. Data is a packet.
Analogy: the city post office deciding which route a letter takes to another town. Security angle: IP spoofing and many denial-of-service floods target Layer 3.
Layer 4 — Transport (registered vs. ordinary post)
Ensures data arrives correctly and in order, and introduces ports (numbered doors on a computer). Two key protocols:
- TCP (Transmission Control Protocol): reliable. It checks everything arrived and re-sends anything lost — like registered mail with a signature.
- UDP (User Datagram Protocol): fast but no guarantee — like dropping a postcard in the box and hoping it arrives. Great for video calls where speed beats perfection.
Security angle: port scanning (which we'll do with Nmap) works at Layer 4. SYN-flood attacks abuse how TCP starts conversations.
Layer 5 — Session (managing the phone call)
Opens, maintains, and closes conversations between two applications. It's why you stay logged in while browsing. Analogy: a receptionist who connects your call, keeps it open, and hangs up at the end.
Layer 6 — Presentation (the translator)
Formats, compresses, and — crucially for security — encrypts data so both sides understand it. TLS/SSL, the technology behind HTTPS, is usually placed here. Analogy: a translator who also seals the letter in a tamper-proof envelope.
Layer 7 — Application (what you actually touch)
The top layer — the software you interact with and the protocols it speaks: HTTP/HTTPS (web), DNS (name lookups), SMTP (email). Security angle: most modern attacks — phishing, SQL injection, cross-site scripting — happen up here at Layer 7.
Where every attack lives (the security map)
| Layer | Example threat | Example defence |
|---|---|---|
| 7 Application | Phishing, SQL injection, XSS, malware | Input validation, WAF, user training |
| 6 Presentation | Weak/broken encryption, SSL stripping | Strong TLS, certificate checks |
| 5 Session | Session hijacking, stolen cookies | Secure tokens, session timeouts |
| 4 Transport | Port scanning, SYN floods | Firewalls, rate limiting |
| 3 Network | IP spoofing, ICMP floods | Router ACLs, anti-spoofing filters |
| 2 Data Link | ARP poisoning, MAC spoofing | Dynamic ARP inspection, port security |
| 1 Physical | Cable tapping, rogue devices | Locked rooms, disabled unused ports |
Command demo: see the layers in action
You don't just have to trust the theory — you can watch different layers work.
Type one of: ip neigh, ss -tuln, or curl -I https://example.com and notice which OSI layer each one lives on.
- Run curl -v https://example.com 2>&1 | head -n 20.
The -v (verbose) flag prints the connection story.
- Find and label these lines with their OSI layer:
- “Trying 93.184.x.x” → Layer 3 (IP address).
- “Connected to ... port 443” → Layer 4 (port).
- “TLS handshake / SSL certificate” → Layer 6 (encryption).
- “GET / HTTP/2” → Layer 7 (application).
- Write one sentence for each layer explaining what it did. You now understand a real HTTPS request the way a security analyst does.
Key takeaways
- The OSI model splits networking into 7 layers: Physical, Data Link, Network, Transport, Session, Presentation, Application.
- Remember it with “All People Seem To Need Data Processing.”
- Each layer wraps the data in its own header (encapsulation) going down, and unwraps it going up.
- Every attack and defence maps to a layer — knowing which one tells you where to act.