"All people seem to need data processing."
Although true, that sentence isn't necessarily a statement of fact. Rather, it's a simple mnemonic device created to help people remember the seven layers of the Open Systems Interconnection (OSI) model—application, presentation, session, transport, network, data link, and physical.
But what is the OSI model, and why is understanding it important to understanding how complex computer networks operate? Short answer: the OSI model allows us to talk to each other about what's happening where in a network.
In sticking with the structure of the OSI model, we'll start with the basics and then provide more in-depth explanations of each layer, ending with a closer look at one of the most important yet undervalued layers of all.
The OSI Model Explained
First conceived of in the 1970s and formalized in 1984, the OSI model isn't a set of hard and fast rules, but it does provide a big-picture view of how networks operate, from physical hardware to end-user applications. It's also valuable when things go wrong, allowing network operations professionals to pinpoint specific layers to troubleshoot. If someone says, "Well, that's a Layer 7 problem," what they're really saying is that there could be an issue with an application like a web browser.
The OSI model has two major components: the basic reference model and protocols. The basic reference model is just another way to describe the 7-layer model. In this model, a layer in your network works with the layers immediately above and below it, meaning tools in Layer 4 work directly with tools in Layers 3 and 5. Protocols allow each layer on a host to communicate with the corresponding layer on a different host. Protocols are one reason why you can send an email from a Layer 7 application like Outlook from your desk in Seattle to someone who uses Gmail in Singapore.
Now that we've gone over a quick sketch of what the OSI model is, let's start peeling this seven-layer onion.
OSI Model Layers
Although the OSI model has a top-down construction, we're going to start at the bottom — Layer 1 — and work our way up.
|If you've ever had to troubleshoot anything electronic, Layer 1 is where you'd answer the question, "Is it plugged in?" Layer 1 also includes layouts of pins, voltages, radio frequency links, and other physical requirements. It's a media layer used to transmit and receive symbols, or raw bits of data, which it converts into electrical, radio, or optical signals.
|This digital stratum is all about media, acting as an avenue for node-to-node data transfers of frames—simple containers for single network packets—between two physically connected devices. It's where you'll find most of the switches used to start or end communication between connected devices. Layer 2 is comprised of two sublayers: MAC, or Media Access Control, and LLC, or Logical Link Control. MAC determines how devices in a network gain access to a medium and permission to transmit data. LLC identifies and encapsulates network layer protocols and controls error checking and frame synchronization.
|Another media layer, Layer 3 is home to IP addresses and routers that look for the most efficient communication pathways for packets containing control information and user data, also known as a payload. If a packet is too large to be transmitted, it can be split into several fragments which are shipped out and then reassembled on the receiving end. Layer 3 also contains network firewalls and 3-layer switches.
|Layer 4 is a host layer that generally functions as a digital post office coordinating data transfers between systems and hosts, including how much data to send, the rate of data transmission, data destinations, and more. Although they're not included in the OSI model, Transmission Control Protocols (TCP) and User Datagram Protocols (USD) are usually categorized as Layer 4 protocols. Layer 4 is also where you'll find gateways and additional firewalls.
|Layer 5 is a host layer that acts like a moderator in that it controls the dialogue between computers, devices, or servers. It sets up pathways, limits for response wait time, and terminates sessions.
|This host layer is where data is translated and formatted so applications, networks, and devices can understand what they're receiving. Characters are encoded and data compressed, encrypted, and decrypted on Layer 6.
|This top-of-stack host layer is familiar to end users because it's home to Application Programming Interfaces (API) that allow resource sharing, remote file access, and more. It's where you'll find web browsers and apps like email clients and social media sites.
Because Layer 7 is complicated and omnipresent, let's take a closer look.
Layer 7 of the OSI Model
In a lot of ways, this is where the enterprise lives. Layer 7 is the point at which customers will directly engage with your business. The application layer identifies communication components, determines resource availability, and ensures that communication runs smoothly. This layer is what allows access to network resources, so you'll likely recognize its most common protocols:
- Hypertext Transfer Protocol (HTTP)
- File Transfer Protocol (FTP)
- Simple Mail Transfer Protocol (SMTP)
Interestingly, most network traffic monitoring solutions don't actually dive into Layer 7, instead sticking to Layers 3 and 4 for their analysis. The problem with this approach is that you then lose out on a ton of unique behavioral data that can help with everything from load balancing to cyber threat mitigation.
Because Layer 7 interacts with both the end user (whether that's a programmer or a customer) and the application, analyzing the traffic on this layer provides a level of granularity that other layers lack. Think of it like eavesdropping: with L2-L4 visibility, you can tell two people are talking to each other from either side of a building. With L7 visibility, you know who each person is, which rooms they're standing in, and what they're actually saying to one another.
More organizations and vendors are beginning to realize the value of Layer 7 visibility for performance analytics, however, and even more so for enterprise security. For example, analyzing L7 traffic in real time gives security teams the ability to detect suspicious behavior like malicious DDoS traffic and mitigate the threat without impacting legitimate visitors.
Full-fledged network traffic analysis takes this process a step further by adding behavioral analytics for threat detection and response, which you can learn about in this blog.