OSI LAYER Vulnerabilities and thier Controls

Layer One - the Physical Layer

The physical Layer is responsible for the physical communication between end stations.  it is concerned with the actual encoding  and transmission of data in electro- electromechanical terms of voltage and wavelength mechanical

Physical Layer Vulnerabilities

Loss of Power

Loss of Environmental Control

Physical Theft of Data and Hardware

Physical Damage or Destruction of Data and Hardware

Unauthorized changes to the functional environment (data connections, removable media, adding/removing resources)

Disconnection of Physical Data Links

Undetectable Interception of Data

Keystroke & Other Input Logging

Physical Layer Controls

Locked perimeters and enclosures

Electronic lock mechanisms for logging & detailed authorization

Video & Audio Surveillance

PIN & password secured locks

Biometric authentication systems

Data Storage Cryptography

Electromagnetic Shielding

Layer Two - Data Link Layer

The Data Link Layer is concerned with the logical elements of transmissions between two directly connected stations. It deals with issues of local topology where many stations may share a common local media. This is the layer where data packets are prepared for transmission by the physical layer.

Link Layer Vulnerability Examples

MAC Address Spoofing (station claims the identity of another)

VLAN circumvention (station may force direct communication with other stations, bypassing logical controls such as subnets and firewalls.)

Spanning Tree errors may be accidentally or purposefully introduced, causing the layer two environments to transmit packets in infinite loops.

In wireless media situations, layer two protocols may allow free connection to the network by unauthorized entities, or weak authentication and encryption may allow a false sense of security.

Switches may be forced to flood traffic to all VLAN ports rather than selectively forwarding to the appropriate ports, allowing interception of data by any device connected to a VLAN.

Link Layer Controls

MAC Address Filtering- Identifying stations by address and cross-referencing physical port or logical access

Do not use VLANs to enforce secure designs. Layers of trust should be physically isolated from one another, with policy engines such as firewalls between.

Wireless applications must be carefully evaluated for unauthorized access exposure. Built-in encryption, authentication, and MAC filtering may be applied to secure networks.

Layer Three - Network Layer

The Network layer is concerned with the global topology of the internet work - it is used to determine what path a packet would need to take to reach a final destination over multiple possible data links and paths over numerous intermediate hosts. This layer typically uses constructs such as IP addresses to identify nodes, and routing tables to identify overall paths through the network and the more immediate next-hop that a packet may be forwarded to.

Network Layer Vulnerabilities

Route spoofing - propagation of false network topology

IP Address Spoofing- false source addressing on malicious packets

Identity & Resource ID Vulnerability - Reliance on addressing to identify resources and peers can be brittle and vulnerable

Network Layer Controls

Route policy controls - Use strict anti-spoofing and route filters at network edges

Firewalls with strong filter & anti-spoof policy

ARP/Broadcast monitoring software

Implementations that minimize the ability to abuse protocol features such as

broadcast

Layer Four - Transport Layer

The Transport Layer is concerned with the transmission of data streams into the lower layers of the model, taking data streams from above and packaging them for transport, and with the reassembly and passing of incoming data packets back into a coherent stream for the upper layers of the model.

Transport Layer Vulnerabilities

Mishandling of undefined, poorly defined, or “illegal” conditions

Differences in transport protocol implementation allow “fingerprinting’ and other enumeration of host information

Overloading of transport-layer mechanisms such as port numbers limit the ability to effectively filter and qualify traffic.

Transmission mechanisms can be subject to spoofing and attack based on crafted packets and the educated guessing of flow and transmission values, allowing the disruption or seizure of control of communications.

Transport Layer Controls

Strict firewall rules limiting access to specific transmission protocols and sub- sub protocol information such as TCP/UDP port number or ICMP type

Stateful inspection at firewall layer, preventing out-of-state packets, “illegal” flags, and other phony packet profiles from entering the perimeter

Stronger transmission and layer session identification mechanisms to prevent the attack and takeover of communications

Layer Five- Session Layer

The Session Layer is concerned with the organization of data communications into logical flows. It takes the higher layer requests to send data and organizes the initiation and cessation of communication with the far end host. The session layer then presents its data flows to the transport layer below where actual transmission begins.

Session Layer Vulnerabilities

Weak or non-existent authentication mechanisms

Passing of session credentials such as user ID and password in the clear, allowing intercept and unauthorized use

Session identification may be subject to spoofing and hijack

Leakage of information based on failed authentication attempts

Unlimited failed sessions allow brute-force attacks on access credentials

Session Layer Controls

Encrypted password exchange and storage

Accounts have specific expirations for credentials and authorization

Protect session identification information via random/cryptographic means

Limit failed session attempts via timing mechanism, not lockout

Layer Six- Presentation Layer

The Presentation Layer deals with the organization of data passed from the application layer into the network. This layer allows for the standardization of data and the communication of data between dissimilar hosts, such as platforms with different binary number representation schemes or character sets (ASCII vs. UNICODE, for example.)

Presentation Layer Vulnerabilities

Poor handling of unexpected input can lead to application crashes or surrender of control to execute arbitrary instructions.

Unintentional or ill-advised use of externally supplied input in control contexts may allow remote manipulation or information leakage.

Cryptographic flaws may be exploited to circumvent privacy protections

Presentation Layer Controls

Careful specification and checking of received input incoming into applications or library functions

Separation of user input and program control functions- input should be sanitized and sanity checked before being passed into functions that use the input to control operation

Careful and continuous review of cryptography solutions to ensure current security versus know and emerging threats

Layer Seven- Application Layer

The Application Layer deals with the high-level functions of programs that may utilize the network. User interface and primary function live at this layer. All functions not pertaining directly to network operation occur at this layer

Application Layer Vulnerabilities

Open design issues allow free use of application resources by unintended parties

Backdoors and application design flaws bypass standard security controls

Inadequate security controls force “all-or-nothing” approach, resulting in either excessive or insufficient access.

Overly complex application security controls tend to be bypassed or poorly understood and implemented.

Program logic flaws may be accidentally or purposely used to crash programs or cause undesired behavior

Application Layer Controls

Application level access controls to define and enforce access to application resources.

Controls must be detailed and flexible, but also straightforward to prevent complexity issues from masking policy and implementation weakness

Standards, testing, and review of application code and functionality-A baseline is used to measure application implementation and recommend improvements

IDS systems to monitor application inquiries and activity

Some host-based firewall systems can regulate traffic by application, preventing unauthorized or covert use of the network.