Cybersecurity Engineering

02. Global Networking & The OSI Deep Dive

Module 02: Infrastructure

The Backbone of the Internet

You cannot secure—or exploit—what you do not understand. Every click, request, and data transfer moves through a complex network of interconnected systems. Understanding how this works is the foundation of cybersecurity.

This module focuses on how data travels across networks, where vulnerabilities exist at each layer, and how attackers exploit those weaknesses in practice. By the end, you will be able to look at any network attack and immediately identify which layer is being targeted, what the attacker is after, and how defenders should respond.

This is not theory. Every concept here maps directly to real tools, real attacks, and real defenses used in professional environments every day.

📦 The OSI Model — A Security Perspective

The OSI (Open Systems Interconnection) model breaks network communication into 7 distinct layers. Security professionals use it as a diagnostic framework—pinpointing exactly where an attack is happening and which controls apply. Think of it as a map of where battles are fought.

Layer 7 — Application
Where users and software interact with the network. Protocols: HTTP, HTTPS, DNS, FTP, SMTP, IMAP.
🎯 Attacks: SQL Injection, Cross-Site Scripting (XSS), Authentication Bypass, API Abuse, Directory Traversal
🛡️ Defense: Input validation, Web Application Firewall (WAF), secure coding practices, API rate limiting

Layer 6 — Presentation
Handles data formatting, encoding, compression, and encryption/decryption. This is where TLS lives.
🎯 Attacks: TLS downgrade attacks (forcing older, weaker encryption), weak cipher exploitation, SSL stripping
🛡️ Defense: Enforce modern TLS (1.3), disable weak ciphers (RC4, DES), HTTP Strict Transport Security (HSTS)

Layer 5 — Session
Manages the establishment, maintenance, and termination of sessions between applications.
🎯 Attacks: Session hijacking (stealing authenticated session tokens), replay attacks, session fixation
🛡️ Defense: Secure, HttpOnly, SameSite cookie flags; short session timeouts; regenerate session IDs after login

Layer 4 — Transport
Controls how data is delivered between hosts. Core protocols: TCP (reliable, connection-based) and UDP (fast, connectionless).
🎯 Attacks: SYN flood (TCP exhaustion), UDP amplification DDoS, port scanning, session hijacking via sequence prediction
🛡️ Defense: Stateful firewalls, SYN cookies, rate limiting, connection tracking

Layer 3 — Network
Handles logical addressing (IP addresses) and routing of packets across networks.
🎯 Attacks: IP spoofing (faking source addresses), BGP hijacking (corrupting routing tables), ICMP-based attacks
🛡️ Defense: Ingress/egress filtering, IP reputation lists, route authentication (RPKI), network segmentation

Layer 2 — Data Link
Handles communication between devices on the same local network segment. Uses MAC addresses and works through switches.
🎯 Attacks: ARP Spoofing (Man-in-the-Middle), MAC flooding (overloading switch CAM tables), VLAN hopping
🛡️ Defense: Dynamic ARP Inspection (DAI), port security, 802.1X authentication, VLAN segmentation

Layer 1 — Physical
The actual physical medium—cables, fiber, radio waves, hardware interfaces.
🎯 Attacks: Cable tapping, signal jamming (WiFi deauth), hardware implants (rogue devices), shoulder surfing
🛡️ Defense: Physical access controls (locked server rooms, cable conduits), camera surveillance, tamper-evident seals

Key Insight: Attackers rarely think in OSI layers, but defenders must. When an alert fires, the first question is: which layer is being attacked? That immediately narrows the toolset and response playbook.

🌐 IP vs MAC Addresses — Two Identities, Two Attack Surfaces

Every networked device has two distinct identities, operating at different OSI layers. Understanding both is essential because both can be abused.

MAC Address (Layer 2): A 48-bit hardware address burned into the network interface card (NIC) at manufacture. Looks like: 00:1A:2B:3C:4D:5E. Only used within a local network segment. Routers strip and replace MAC addresses as packets cross network boundaries.
IP Address (Layer 3): A logical address assigned by network configuration. Used for routing across the global internet. IPv4 looks like 192.168.1.100; IPv6 looks like 2001:0db8:85a3::8a2e:0370:7334.

Security Reality: Both can be spoofed. MAC addresses can be changed in software in seconds on any operating system. IP addresses can be spoofed at Layer 3, though return traffic won't reach the attacker (which is why spoofing is used for one-way attacks like DDoS amplification, not for interactive sessions).

⚠️ ARP Spoofing — The Classic Layer 2 Man-in-the-Middle
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses within a local network. It has zero authentication—any device can broadcast a fake ARP reply claiming any IP. Here is how the attack unfolds:

1. Victim's machine wants to send data to the router (192.168.1.1). It broadcasts: 'Who has 192.168.1.1? Tell me your MAC.'
2. The attacker sends a fake ARP reply: ;192.168.1.1 is at [ATTACKER MAC];—before the real router responds.
3. The victim updates their ARP cache: they now believe the attacker IS the router.
4. All traffic from the victim flows to the attacker first. The attacker forwards it to the real router, so the victim notices nothing.
5. The attacker reads, modifies, or records everything in the middle—credentials, session cookies, API keys, file transfers.

🔒 Defense: Dynamic ARP Inspection on managed switches validates ARP packets against a trusted DHCP binding table. Encrypted protocols (HTTPS, SSH) mean intercepted data is unreadable even if the MitM succeeds.

🔑 TCP vs UDP — The Transport Layer Duel

The two dominant Layer 4 protocols have fundamentally different designs, and attackers exploit each differently.

TCP — Transmission Control Protocol
Connection-based. Before any data transfers, a three-way handshake must complete: SYN → SYN-ACK → ACK. Guarantees delivery, ordering, and error checking. Used for: HTTP/HTTPS, SSH, SMTP, FTP — anything where data integrity matters.

🎯 SYN Flood Attack: Attacker sends thousands of SYN packets with spoofed source IPs. Server sends SYN-ACK to each ghost address and waits for an ACK that never comes. Server's connection table fills up. New legitimate connections are rejected. Service goes down.
🛡️ Defense: SYN cookies — the server doesn't allocate connection state until the handshake is fully completed. Rate limiting new connections per source IP.

UDP — User Datagram Protocol
Connectionless. No handshake. No delivery guarantee. Just fire packets and forget. Used for: DNS, VoIP, video streaming, gaming — anything where speed matters more than perfect reliability.

🎯 UDP Amplification DDoS: Attacker sends small UDP requests to open servers (DNS, NTP, Memcached) with the victim's IP spoofed as the source. Servers send massive responses to the victim — amplifying the traffic 10x to 10,000x. The attacker needs minimal bandwidth to generate catastrophic traffic at the victim.
🛡️ Defense: Rate limiting UDP responses, disabling open recursion on DNS servers, ingress filtering to drop spoofed source IPs.

📡 Network Topologies and How They Affect Security

The physical and logical structure of a network directly determines its security posture and its attack surface.

Star Topology: All devices connect to a central switch or hub. Easy to monitor, manage, and control. The central device becomes the single point of failure and a high-value target—compromise the core switch and you can intercept all traffic.
Mesh Topology: Every device connects to multiple others, providing multiple paths for traffic. Highly resilient—no single point of failure. Much more complex and expensive to secure and monitor.
Segmented Network (Modern Best Practice): Networks are divided into zones (DMZ, internal, management, IoT, guest) with strict firewall rules between them. A breach in one zone does not automatically expose others.

Critical Concept — Traffic Direction:

North-South Traffic: Data entering or leaving the network (internet-facing). This is what traditional firewalls and perimeter security control.
East-West Traffic: Data moving laterally inside the network between servers and services. This is where most modern attacks cause their real damage—after the initial perimeter breach, attackers move east-west to escalate privileges and reach sensitive data. Most organizations monitor north-south traffic heavily but barely inspect east-west.

🏗️ Zero Trust — The Architecture That Replaced Perimeter Security

Traditional security operated on a castle-and-moat model: build thick walls around the network, and everything inside the walls is trusted. This model completely collapsed with cloud computing, remote work, BYOD, and supply chain attacks (like SolarWinds). Attackers don't need to breach the walls—they just get a job at the castle.

Zero Trust Principles:

Never trust, always verify: Every request for access must be authenticated and authorized—regardless of where it originates. Being on the internal network grants no inherent trust.
Least Privilege Access: Every user and system receives only the minimum access required for their specific function. An HR system should never have access to source code repositories.
Assume Breach: Design systems assuming attackers are already inside. Segment, monitor, and alert as if the perimeter doesn't exist—because increasingly, it doesn't.
Continuous Verification: Don't just authenticate at login. Continuously re-verify identity and device health throughout a session. Behavioral anomalies (unusual login time, unexpected data download) trigger step-up authentication or session termination.
Microsegmentation: Divide the network into granular zones at the workload level. Even within the 'trusted' internal network, a database server cannot talk to a web server unless explicitly permitted.

Real-World Application: Google's internal Zero Trust implementation, called BeyondCorp, was built after the Aurora attacks in 2009 exposed the vulnerability of perimeter-based security. Today, Google employees work from coffee shops with the same security model as working from headquarters—because the network location is irrelevant. Identity, device health, and context determine access.

✅ Module 02 Knowledge Check

At which OSI layer does ARP Spoofing occur, and why does it work without authentication?
Explain the TCP three-way handshake. How does a SYN flood exploit it, and what does SYN Cookie protection do to stop it?
What is the difference between North-South and East-West traffic? Why is East-West more dangerous in a post-breach scenario?
A developer says 'we have a firewall, so we're safe.' What would you say to them about Zero Trust and modern attack techniques?
Why can IP spoofing be used for DDoS amplification attacks but not for interactive sessions like SSH brute force?