The OSI Model
The Open Systems Interconnection (OSI) model is a conceptual model for how network traffic is structured. The seven layers of the OSI model include:
- Physical Layer: Moves data over a physical medium via electrons, light, etc.
- Data Link Layer: Transfers data between nodes, managing the physical medium and error correction. Ethernet is a Layer 2 protocol.
- Network Layer: Manages network addressing and routing to move data between networks. IP is a Layer 3 protocol.
- Transport Layer: Uses protocols such as TCP and UDP to transmit data between systems and may offer error correction.
- Session Layer: Manages connections and sessions between two computers.
- Presentation Layer: Performs data encryption, compression, and formatting to ensure data is translated properly between network and application.
- Application Layer: Enables end-user software applications to send and receive data over the network.
Importance of Layer 7
Layer 7 is the highest layer of the OSI model and deals with applications that interact with the user directly.
Lower application levels of the OSI model are concerned with ensuring that data gets where it needs to go and is formatted appropriately. Layer 7 is where applications that interact with the user operate. For instance, when browsing the web, a user will be using the HTTPS web protocol to communicate with the remote web server.
HTTPS is a Layer 7 protocol whose traffic is encapsulated within lower-layer protocols, such as:
These protocols are responsible for ensuring that data gets from a particular application on the client computer to a particular application on the server, while HTTPS carries the actual data that makes the web browsing session work.
Load Balancing at Layer 7
An organization may choose to implement load balancing at Layer 7 of the OSI model. This means that legitimate traffic for a single application is distributed across multiple different servers, ensuring that they’re not overloaded.
Therefore, load balancing improves overall application performance. From a user’s perspective, all of the servers behind a Layer 7 load balancer are indistinguishable since they’d have the same public-facing IP address and port numbers. But, the load balancer can route the traffic to servers based on utilization.
Additionally, the load balancer may use cookies or other information included in requests to ensure that traffic from the same session goes to the same server, enabling caching and optimizing the service.
Load balancing can also happen at Layer 4, the Transport Layer of the OSI model. In this case, different upstream servers would use different TCP/UDP ports, enabling a load balancer to quickly send traffic from the same session to the same server without inspecting its actual contents. However, this approach offers less granular control over the sessions sent to each backend server.
Protecting Against DDoS attacks
Layer 7 is also relevant in the context of distributed denial-of-service (DDoS) attacks. In DDoS application layer attacks, an attacker-controlled botnet attempts to render a target service unavailable to users and customers. DDoS attacks can occur at multiple different layers of the OSI model. One approach is to attempt to overwhelm a system with the sheer volume of requests.
These attacks operate at Layers 3 (Network) and 4 (Transport) of the OSI model. For instance, a SYN flood attack exhausts the number of TCP sessions that a server keeps open at one time.
SYN Flood
A SYN Flood is a type of DDoS attack that overwhelms a server with connection requests, making the server unavailable to legitimate customers.
- Normally, a client sends a SYN (Synchronize) message to a server, to request a connection to a server.
- The server acknowledges this request by sending a SYN-ACK message back to the client.
- Then, the client normally responds with an ACK (acknowledgment), and the connection is established.
However, in the case of SYN Flood attacks, the DDoS attacker sends a barrage of SYN requests to the server but purposefully does not reply with a final ACK to any of the SYN-ACK messages sent by the server. As a result, the server is stuck waiting for a large volume of ACK responses that never arrive from the client.
This process overwhelms the servers’ limited compute resources as they are tied up trying to manage a huge volume of half-open connections. This is why SYN Flood attacks are also known as ‘half-open attacks’.
Layer 7 DDoS Attack
Layer 7 DDoS attacks are designed to exploit vulnerabilities and bottlenecks in particular applications or services. For example, HTTP flood attacks try to send a web server more HTTP requests than it can handle. This may be substantially less than the number of simultaneous TCP sessions it can handle, making this a more efficient attack.
Different types of DDoS attacks have to be handled at different OSI layers. While many application firewalls can handle Layer 3/4 attacks, protecting against Layer 7 attacks requires a Layer 7 firewall that inspects and understands application-layer data.
Check Point Solutions and the OSI Model
Companies can suffer cyberattacks that operate at multiple different layers of the OSI model. For example, DDOS attacks can be performed at Layers 3, 4, or 7. Each of these types of attacks operates differently, and a network security solution providing protection only at Layers 3 and 4 will be blind to attacks occurring at Layer 7.
Check Point next-generation firewalls (NGFWs) provide protection at multiple layers of the OSI model, including the ability to inspect and understand network packet payloads to offer application-layer protection. Learn more about the Layer 7 protection that Check Point Quantum Force NGFWs provides by signing up for a free demo.
Feedback