OSI Model (7 Layers) Overview
An interactive reference guide to the Open Systems Interconnection Model
A: Through specific service protocols like HTTP for web browsing.
A: It is encoded, compressed, and converted to a standard format (ASCII/JPEG) for mutual understanding.
A: By setting up checkpoints for session recovery in case of failure.
A: It uses **Port Numbers** to identify the application and TCP/UDP to transport Segments.
A: It uses the **IP Address** for network identification and the **Router** to find the optimal path.
A: It uses the **MAC Address** to identify devices within the same LAN.
A: Bits are converted into electrical/light/radio signals according to physical standards.
Layer 3 Security & Hardening
The System Administrator’s Interactive Guide to Network Layer Protection
Layer 3 Security Essentials
This section covers fundamental techniques for isolating network traffic and enforcing access control policies at Layer 3 to build a secure and resilient infrastructure.
Inter-VLAN Routing
Purpose: To isolate traffic, contain security breaches, and reduce broadcast domains.
Method: Known as “Router-on-a-Stick,” a Layer 3 device (router or L3 switch) is used to route traffic between different VLANs.
Admin Task:
Configure L3 interfaces on the router to connect separate VLANs (e.g., separating Server, User, and Guest networks).
Access Control Lists (ACLs)
Function: A set of rules applied to router interfaces to control which packets are allowed or denied.
Target: Filters traffic based on Source/Destination IP (L3) and Port numbers (L4).
Goal:
Enforce the “Principle of Least Privilege” by only allowing necessary traffic to and from critical servers.
Diagnostics & Protocol Security
Learn how Layer 3 protocols are used for troubleshooting and how they can be secured against common network attacks.
Ping & Traceroute
Diagnostics: ICMP is the core protocol for essential tools like `ping` (testing reachability) and `traceroute` (mapping network paths).
Security Risk: It can be exploited in DoS (Denial of Service) attacks, such as an ICMP Flood, to overwhelm a server.
Mitigation:
Configure the edge firewall to Rate-Limit or Block certain ICMP message types from external networks to protect internal resources.
ARP Poisoning
Nature: A Layer 2 attack that has severe Layer 3 consequences by misdirecting traffic, enabling “Man-in-the-Middle” attacks.
Risk: An attacker on the local network spoofs the MAC address of the Default Gateway (router), tricking hosts into sending traffic to the attacker instead.
Mitigation:
Implement Dynamic ARP Inspection (DAI) on Layer 2/3 switches to validate ARP packets and prevent spoofing.
Performance & Efficiency
Explore key Layer 3 concepts that directly impact network speed, reliability, and the user experience for critical applications.
MTU & PMTUD
MTU (Maximum Transmission Unit): The largest packet size (in bytes) a network interface can send without fragmentation.
Issue: An incorrect MTU setting causes Packet Fragmentation or Packet Drops, severely impacting performance, especially over VPNs and cloud links.
PMTUD (Path MTU Discovery): An automated function to find the smallest MTU along a network path, ensuring packets are sized optimally.
Admin Task:
Verify and adjust MTU settings, especially on interfaces for tunnels or external connections.
Quality of Service (QoS)
Mechanism: A set of techniques to manage network resources by prioritizing critical traffic flows over less important ones during times of congestion.
Components:
- Marking: Tagging packets with priority levels (e.g., DSCP).
- Queuing: Placing high-priority packets at the front of the line on the router.
Benefit:
Guarantees low latency and sufficient bandwidth for real-time applications like VoIP and Video Conferencing, even when the network is busy.