1. Paper Summary
Network security services consist in a multitude of policies implemented in order to prevent and monitor unauthorized access, misuse, modification, or denial of computer systems and network-accessible resources.
Over the course of this paper, I will go through a variety of best practices for securing a LAN with some of the top services available on market.
The case study will represent a common and underrated risk when it comes to network security: connecting a non-proprietary device (BYOD) to the LAN and the introduction of a new security system created to mitigate such a risk (RBAC system).
2. Fundamentals of security services
2.1. Introduction to security services
Security services are part of our day to day life, doing what they are designed to do: provide security in any access or exchange of data.
A network administrator is providing the security services by validating the access to the systems and data. The root of security services lies with the ISP’s in the 1990’s, when they offered customers basic firewall appliances, and for a recurrent cost, they would manage these customer owned firewalls.
Nowadays this outsourcing of security services is still present in most small-to-medium businesses, for obvious reasons:
– To focus on the core business activity
– To escape the pressure they have related to daily security risks
– The continuously increasing threats (malware, data theft, etc.)
– It is cost effective (no resource constraints, no skills needed)
The big enterprises though tend to keep these services in house, as they have the resources to financially sustain such an infrastructure, develop the skills of the specialists in charge with the systems, coping with the scalability of the services, but mainly because they can offer these services to their own customers.
2.2. Introduction to information security
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical). (United States Code, Title 44).
ISO 27001 is the well-known standard that provides requirements for an information security management system (ISMS). ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
Information security should be widely available to all the IT customers, users and IT staff.
Information security objectives are best described and also met by most customer needs when:
– Information is observed by or disclosed to only those who have a right to know (confidentiality)
– Information is complete, accurate and protected against unauthorized modification (integrity)
– Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from or prevent failures (availability)
– Business transactions, as well as information exchanges between enterprises, or with partners, can be trusted (authenticity and non-repudiation)
2.3. Introduction to LAN
LAN or local area network is a computer network that is used to connect computers and other network devices in a small area, like an office, a building or a group of buildings.
The purpose of the LAN is to facilitate the information flow between the connected devices. For example you can print documents using the network printer, you can scan and email a document, you can chat with other users, etc.
The most commonly used type of LAN is Ethernet. Ethernet refers to the media used to interconnect devices, example: copper wires, fiber optic cables or wireless.
A LAN can host from a few users (a home) to thousands of users (a large enterprise). Several LANs can be connected with each other, thus resulting in WANs, which can be spread over large geographical regions.
2.4. Data classification
The data that an enterprise holds about its customers and resources not only allows it to proper conduct business, but also constitutes a gold mine for data analysis.
There are three types of client data:
– Business data: data related to the operation of the client’s business, including confidential or sensitive business related data that relates to individuals (e.g. pricing information, trade secrets, financials, mergers, acquisitions or other strategic plans).
– Intellectual property: client owned knowledge that is protected by the intellectual property rights that no one has the right to use (e.g. software code, designs, unique business processes, product formulations).
– Personal data: information related to identifiable individuals (e.g. any data that relates to a living person who can be identified from the data set).
Client data is classified as:
Data Class Business Impact Description and data example
Restricted Extreme Data that is only known among client personnel on a strict need-to-know basis, or information that can be considered inside knowledge:
• Formula, process or code for a critical product
• Financial projections and material non-public financial information
• Litigation information
• Merger and acquisition plans
Highly confidential High Sensitive technical or financial data and all personal data regulated by privacy laws in relation to which disclosure or misuse can lead to identity theft or consumer harm:
• Social security number, driver’s license number, passport number)
• Financial account numbers, credit or debit card numbers and
financial account security codes, access codes, or passwords
• Personal medical information or health insurance information
• Network designs, IP addresses or sensitive sites when tied to personal data
Confidential Moderate Information intended for release only on a need-to-know basis and data protected or restricted by contract, grant, or other agreement terms and conditions:
• Name associated with telephone number, address, email, resume, hobbies, references, personal history
• Staff and personnel records (including Employee ID)
• Licensed software/software license keys
• Organizational Charts
• Internal correspondence
Unrestricted Limited or none Data intended or expressly authorized for public display or use:
• Public directory information
• Public websites
• Course listings and publications
2.5. Data transmission
Data transmission is the physical process of sending analog or digital data over a communication medium (analog or digital) to one or more computing, network, communication or electronic devices. It enables the transfer and communication of devices in a point-to-point, point-to-multipoint and multipoint-to-multipoint environment. The data are represented as an electromagnetic signal, such as an electrical voltage, radio wave, microwave, or infrared signal.
2.6. LAN Technologies
The technologies used to make a LAN functional are complex and interconnected, but all of them have as a base concept the OSI model.
The OSI model is a conceptual model that standardizes the communication functions of a telecommunication or computing system, no matter the internal structure and technology. Its goal is the interoperability of diverse communication systems with standard protocols. The model partitions a communication system into seven structured layers (also detailed in Annex 1):
2. Data link
Another technology very useful at LAN level, is the VLAN.
A LAN cam be logically segregated in several VLANs. VLANs act as separate networks, and devices from VLAN 1 (engineering) cannot communicate with devices from VLAN 3 (Accounting):
Example of a LAN with 3 VLANs – Source: cisco.com
3. Enterprise security services
This chapter defines an enterprise level infrastructure, with the aggregated security services, following common best practices.
3.1. Physical security
The physical security refers to specific area with well-defined threats and risks as well as controls to be implemented and is mandatory in order to ensure the protection of the company’s information assets, IT services and resources as well as the safety for the personnel.
Physical security is a key element to all other IT security measures.
Hence the implementation of the physical security must be done adequately in order to prevent any weak point that could potentially lead to a bigger damage therefore it is important that proper controls are set in place. These physical controls are divided into two categories: Administrative controls and Physical/Technical controls.
Server rooms are planned and designed within the blue print of a new building and this gives the possibility to implement the right physical controls.
Facility Security Management
The access to the server room should be recorded in order to prevent or detect unauthorized access or access attempts. Facility security management also includes the process of emergency procedures that need to be simulated on a regular basis.
Environmental and life safety controls
Electrical power sustains the operation of the servers and electrical equipment within the room. Usually there are installed two separate electrical power supplies so that in case of a blackout, the secondary will take over to avoid the general interruption of the services.
Preferably an UPS (uninterruptible power supply) should be installed.
The server room must also to be equipped with proper fire detection and suppression systems and the temperature and humidity should be maintained on pre-defined ranges; condensation may damage the hardware and is better to have ventilation systems to help circulating the fresh air.
As for the administrative personnel control, the IT department ensures that access, accounts and authorizations are modified or removed when an employee changes his role or he left the company.
Physical and technical controls
Facility Access Control devices
Each employee must use a personal identification, like badge and PIN and must secure the laptops with special lockers or store backup media in a locked cabinet to prevent theft.
Asset Inventory Control
Servers and equipment within the server room should be checked regularly in terms of functionality and existence. The machines have to be checked that they work properly and that there is no damage to the devices. Also, it has to be controlled that all devices are still in place and no theft has occurred.
Also label information helps and includes useful information like IP address, server name, application name, team responsible for the server and phone number.
Media Storage Requirements
Sensitive information on media should be stored in a secure place protected from unintentional events like fire or water and from intentional events like theft or vandalism preferable to keep the backup separate from the server.
3.2. The enterprise infrastructure
The enterprise infrastructure represents a multitude of policies, equipment and software. A typical infrastructure will deliver several features and benefits:
– No single point of failure – the hardware resources have redundant devices configured in the same way, so that in the event of a failure, the secondary device can take over
– Scalability – resources are available all the time, and increasing the capacity or reducing the unused capacity is cost effective
– Utility stile cost – the customers are paying only what they’re using
– High performance – with servers hosted in house, access to resources is instant
– Location independence – using VPN technologies, resources can be accessed from anywhere in the world using an internet connection only
– Predictable budgeting – costs can be recovered through a precise budgeting, and part of the usage is recovered through depreciation and interest
The infrastructure is the bond between the primary business elements: people, processes and technology.
3.2.1. General considerations
An Information Technology (IT) Security Policy identifies the rules and procedures for all individuals accessing and using an organization’s IT assets and resources. Effective IT Security Policy is a model of the organization’s culture, in which rules and procedures are driven from its employees’ approach to their information and work.
Policy should define:
• An overall information security policy
• Use and misuse of IT assets policy
• An access control policy
• A password control policy
• An email policy
• An internet policy
• An anti-virus policy
• An information classification policy
• A document classification policy
• A remote access policy
• A policy with regard to supplier access to IT service, information and components
• A copyright infringement policy for electronic material
• A record retention policy
The objectives if an IT security policy are the preservation of confidentiality, integrity, and availability of systems and information used by an organization’s members.
As some main scopes we have listed the below:
• Focal point for all IT security issues
• The production, maintenance, distribution and enforcement of an information security policy
• Understanding the agreed current and future security requirements of the business
• Implementation of a set of security controls
• Documentation of all security controls
• Management of suppliers and contracts regarding access to systems and services, in conjunction with supplier management
• Management of all security breaches, incidents and problems associated with all systems and services
• The proactive improvement of security
• Integration of security aspects within all other ITSM processes
• Align IT security with business security and ensure that the confidentiality, integrity and availability of the organization’s assets, information, data and IT services always matches the agreed needs of the business
The IT Security Policy is a living document that is continually updated to adapt with evolving business and IT requirements. Institutions such as the International Organization of Standardization (ISO) and the U.S. National Institute of Standards and Technology (NIST) have published standards and best practices for security policy formation.
An organization’s security policy will play a large role in its decisions and direction, but it should not alter its strategy or mission.
3.2.2. Infrastructure physical architecture
The physical architecture of the infrastructure often makes the difference when it comes to a safe and high performant LAN.
Example of the architecture of a physical infrastructure
3.2.3. Equipment roles
A router is a device that forwards data packets along networks and is connected to at least two networks, commonly two LANs or WANs or a LAN and its ISP’s network. Routers are located at gateways, the places where two or more networks connect.
Multiprotocol Label Switching (MPLS) is a type of data-carrying technique for high-performance telecommunications networks that directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table
Is the same as a normal router but it is dedicated to voice traffic.
Router PSTN connectivity is generically referred to as voice gateway functionality, offering a gateway for voice over IP (VoIP) calls to, and from, traditional analog or digital PSTN or private branch exchange (PBX) calls.
A switch is a device in a computer network that electrically and logically connects together other devices. Multiple data cables are plugged into a switch to enable communication between different network devices.
It has the same role as the normal switch but it is used as a screen interface for the internet facing devices.
A core switch is a high-capacity switch generally positioned within the backbone or physical core of a network. Core switches serve as the gateway to a wide area network (WAN) or the Internet – they provide the final aggregation point for the network and allow multiple aggregation modules to work together.
An edge switch is a switch located at the edge of the LAN. These switches connect end-users to local area networks and usually have a high capacity of individual connections (i.e. 24 ports, 48 ports).
Wireless access point
A wireless access point (WAP) is a networking hardware device that allows a Wi-Fi compliant device to connect to a wired network. The WAP usually connects to a router (via a wired network) as a standalone device, but it can also be an integral component of the router itself.
Packet shapers control the volumes of traffic flowing into the campus network while firewalls allow/disallow types of traffic.
A VPN is a Virtual Private Network. The “box” or VPN device creates an encrypted tunnel between itself and a same-keyed partner device across the Internet or other insecure channel.
Consists of an integrated suite of solutions to help organizations simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications.
A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.
Wireless Controllers help reduce overall operational expenses by simplifying network deployment, operations, and management of access points.
3.2.5 User profiles
In a Windows environment, a user profile is a record of user-specific data that defines the user’s working environment and that includes display and application settings as well as network connections. Depending on how the network administrator has set up the user’s profile we can decide what files, applications and directories the user profile can have access to.
A user group is a collection of user accounts that all have the same security rights and that are referred to as security groups.
A user account can be a member of more than one group. The two most common user groups are the standard user group and the administrator group, but there are others. A user account is often referred to by the user group it’s in (for example, an account in the standard user group is called a standard account). If you have an administrator account, you can create custom user groups, move accounts from one group to another, and add or remove accounts from different groups. When you create a custom user group, you can choose which rights to assign.
4. Case study – the danger of connecting non-proprietary devices in the LAN (BYOD policy) and mitigating the risk
4.1. Risk description
In an enterprise LAN there could be the case in which exceptions are made, from the rules or policies of the network. Any of these exceptions could be also a security threat, so the exceptions are actually associated risks.
A tendency nowadays in all kinds of businesses, regardless of the size, is the concept of BYOD – bring your own device, in which employees would bring personal devices (i.e. laptops, tablets and smartphones) to work and connect them to the enterprise network.
Amongst the advantages, besides the cost reduction, is the increased productivity that was observed for the users that were using at work the devices brought from home (thus being able to work with a familiar and comfortable device).
But as good as can this can sound for an employer, the BYOD policy is a big security concern. For example, if an employee is using the personal laptop to access confidential or restricted company data, and the employee loses his laptop, this would translate in a very serious data breach. Or another example is that employees switch devices relatively often, and they wish to sell their old device, and in most cases, data is not securely wiped from the device, or it is not erased at all.
4.2. Introducing a new security service in order to mitigate the risk – RBAC
RBAC – or Role Based Access Control is a method of restricting network access based on specific roles and permissions for the user.
A pilot will provide an excellent opportunity to learn about how well the RBAC performs in an operational environment, both functionally and technically. In addition, the pilot provides insights on how to revise and refine the implementation approach and activities for subsequent implementation.
The following are highlights of the evaluation:
• One of the most important outcomes of this pilot deployment consists in early identification of the risks and issues tied with RBAC deployment in the enterprise environment, where various localised and project-based particularities for existing software and hardware, presence of different business, increased site/network complexity, presenting project team with a real challenge to adapt the solution for optimum fit on the enterprise infrastructure.
• Extensive planning and monitoring is critical. Detailed plans to be created at all levels (country-wise and locally). These are essential to performing the required implementation activities and contribute to a relatively uneventful go-live period. To further enhance planning, formal biweekly local work plan reviews will be conducted during the two months prior to go-live. These reviews will serve as checkpoints to ascertain local readiness for go-live.
• Provide access to RBAC system data to as many local technology support staff as possible, as far in advance of go live as possible and increase participation in knowledge sharing.
• An effective implementation infrastructure is essential for the successful site readiness and the introduction of change. The Implementation Model (Portfolio Leads, Architecture Leads, Local Implementation Managers, Project Managers and Implementation Coordinators) allows for centrally managed and locally executed plans, to ensure consistency and completeness of activities. During the Pilot, a cohesive Country-wise team, comprised of Project, Country and local support representatives, will be formed. This team will be mobilized for future change initiatives.
• Senior management support and involvement is contributing to local success. A high level of support and involvement will heed set the stage for the significant amount of changes that RBAC brings. Often this translated into ensuring that the local effort is adequately resourced and innovative approaches are used to support the implementation activities required (e.g., allow employees to do Computer Based Training at home, negotiating with the local leadership to reallocate resources during vacations periods, etc.)
• Implementation activities need to reinforce the fact that learning is a continuum. During the pilot, computer-based training, instructor lead training and data validation activities were considered separate activities. Based on feedback from the field these activities can be revised to become more integrated and allow for a “building” of knowledge of the system. To support this integration, the training team and the deployment team will take part into train-the-trainer sessions.
• Users need to understand the ‘system logic’. If the local support teams have concerns with not being able to solve issues on their own, as the RBAC is a much more complex system than expected, as it incorporates the functionality of a number of current systems, training and/or field preparation will address this requirement. An action item for the reporting team is to determine how best to meet this need.
• On-site support is required during key testing activities. During the pilot, additional on-site support is required as project team will activate the RBAC functionality and key network tests are being performed (e.g., functionality, stability, compliance, audit /quarantine VLAN assignment). Under consideration are: improved knowledge transfer about required activities to local teams to perform these tests, providing additional project resources during testing.
• Service Desk support to be prepared for the volume of low-level severity tickets from the field. Service Desk will be trained prior to the change, preparing them for potential increase of tickets raised by end-users. However only a small percentage (3-5%) of the tickets is expected to be as high or critical severity. Additional resources will be added to the Help Desk to assist in responding to the tickets.
• The RBAC client, required for accessing the RBAC-enabled network, is not part of the global workstation image, so must be manually installed by local support team. This situation will be addressed over the next few months.
• Communication with local support team regarding open tickets/user requests is essential. During the pilot local support should provide user communication that wold reduce number of tickets about to be logged and/or service requests that will be created. A process that will enhance user communication is crucial.
• During the pilot, sufficient attention has to be given to the planning of knowledge transfer. Insufficient local expertise and knowledge, in the areas of technology, functionality, business processes and operations, will result in a higher number of requests thus increasing the need of resources. Further effort is required to ensure sufficient knowledge transfer occurs.
• Network response time during logon attempts. Average connection time via RBAC client varies depends on workstation hardware, network latency and compliance status (failed compliance may take longer), but based on tests, they range from 5 to 15 seconds.
• Conduct weekly and monthly reviews of system performance, utilization reports, compliance reports and RBAC performance reviews. These reports will be used by the RBAC operations team to monitor RBAC infrastructure.
After this point we will be able to say that major roadblocks were removed, allowing us to consider a wide deployment of the RBAC security solution in all the offices.
4.4. RBAC setup
Security services can be costly and likely incorrect because administrators usually specify the access to different resources with control lists for each user on the system individually.
Using RBAC, security is managed at a level that corresponds closely to the enterprise’s structure. Each user is being assigned with one or more roles, and each role has assigned one or more access privileges that are permitted to users in that role. Security administration with RBAC consists of determining the activities that must be completed by persons in particular roles (or jobs), and assigning employees to the proper roles. Ramifications introduced by common exclusive roles or role hierarchies are handled by the RBAC software, making security services effortless.
It determines applications/resources that the user and/or device can access on the corporate network.
RBAC is only applicable when working from the enterprise office, not from home or any other site.
Prior to connecting to the network from the enterprise office, PC or mobile device will be checked to ensure compliance to security standards such as up-to-date antivirus and firewall software.
Once the system conforms to security checks, access will be granted to the enterprise network including access to designated applications as tagged to user credentials.
If non-compliant, PCs and devices will be allocated to a quarantine VLAN & will receive basic internet access only.
4.4.1. Logical scheme
The NIST RBAC standard (2004) recognizes three levels of RBAC:
a. core RBAC
b. hierarchical RBAC, which adds support for inheritance between roles
c. constrained RBAC, which adds separation of duties
Our environment is based on the hierarchical level as follows:
RBAC logical scheme
RBAC guest VLAN for connected non-proprietary devices (BYOD/Guest). If the devices are not fulfilling the base security requirements, they will be moved to the Quarantine VLAN.
Role based VLAN for connected proprietary devices.
4.4.2. Authentication flow and equipment roles
The RBAC authentication flow consists in three devices that are indispensable for a successful audit:
RBAC authentication flow
Supplicant – this is the device that is being connected to the LAN. It can be represented by a laptop, a table, a smartphone, etc. The actual connection triggers the above authentication flow.
Authenticator – this is the device that facilitates the authentication flow, and is usually represented by a managed switch, capable of forwarding the requests.
Authentication server – represented by the RBAC server, this device is the auditor of the device connected to the LAN. Based on specific roles predefined by the administrator of the system though the graphical interface, the server will allow or deny access to the specific LAN resources. Additionally, our server is configured so that if a device fails the authentication, it will actually be moved to the quarantine VLAN, rather than restricting access to any resource.
The configuration of the Authenticator is done at the switch port level. Every switch port needs to be configured individually so that the authentication can be expedite to the correct RBAC server.
Following is a basic configuration of one of the switch ports (Juniper equipment, port 1/0/27), which is set to assign to a successful authenticated user the VLAN “vlan_10”, and if the authentication fails, it will switch the user to the VLAN “vlan_15”.
Set interfaces ge-1/0/27 unit 0 family ethernet-switching port-mode access
Set interfaces ge-1/0/27 unit 0 family ethernet-switching vlan members vlan_10
Set protocols dot1x authenticator interface ge-1/0/27.0 supplicant multiple
Set protocols dot1x authenticator interface ge-1/0/27.0 transmit-period 5
Set protocols dot1x authenticator interface ge-1/0/27.0 supplicant-timeout 45
Set protocols dot1x authenticator interface ge-1/0/27.0 maximum-requests 2
Set protocols dot1x authenticator interface ge-1/0/27.0 guest-vlan vlan_15
Set protocols dot1x authenticator interface ge-1/0/27.0 server-reject-vlan vlan_15
Set protocols dot1x authenticator interface ge-1/0/27.0 server-fail vlan-name vlan_15
Using RBAC to Manage External Users
RBAC is the technology enabling the company’s electronic business initiative. The RBAC software will grant or deny access to users to data and applications as users’ roles dictate.
In essence, the system is the platform to which data and applications will be linked. Users will interact with the clients over the Internet. Users will be assigned roles that will permit them to enter restricted information, examine reports, and sell products instantly to customers. The goal is to allow users to maintain, access, determine, and interact with client information and details electronically. The estimates made resulted that the ability to instantly register and sell products to prospective clients will increase its amount of new clients annually.
The company could have opted to an alternative access control system, but it would have been more costly. However, a non-RBAC solution would have entailed a larger programming component, which would have increased setup, customization and maintenance costs. The system would also have been more costly to operate and less secure for several reasons related to systems administration and maintenance, such as user directory maintenance and user account maintenance (i.e., no delegated administration).
Simplifying Administration and Maintenance
The company will use RBAC’s delegated administration capability to establish an administrator at each office who will be in charge with performing the basic systems administration and role maintenance for its office. It will take the company less than 1 hour per office to establish administrators and set up the basic structure. Delegated administration of the company’s users is expected to decrease the systems administrator’s workload by approximately 1 to 2 full-time employees annually, in comparison to using an alternative access control system.
Delegated administration does not push costs further down the supply chain, or later in time, they are translated in reduced costs to those organizations to which account administration has been delegated. For example, the cost of having the office manager at a local front office assign a role to a new user may be outweighed by the benefit of that user having his or her permissions quickly. If the office manager does not have to arrange account setup and administration with the company, he or she avoids the labor and lag time expenses. The agent is also able to assume his or her regular duties.
User and client information is transmitted to the company securely, reducing the company’s administrative and data entry burden as well as the amount of hard paper moving among its departments. I.e., if the company currently employs 50 people tasked solely to maintain the communication and data entry associated with managing relationships with users in the mailroom, call center, support, and data entry departments. It estimated that the new initiative would make available about 20% of their time.
In many enterprises, in industry and civilian government, the end users do not “own” the information for which they are allowed access to read or modify. For these enterprises, the company is the actual “owner” of system objects, and unrestricted access control may not be appropriate.
Role-Based Access Control (RBAC) is a restricted access control mechanism which allows and promotes the central administration of an organizational specific security policy. Access control decisions are often based on the roles individual users take on as part of an organization.
A role specifies a set of actions that a user or set of users can perform within the context of an organization. RBAC provide an instrument of naming and describing relationships between users and rights, providing a method of meeting the secure services needs of many enterprises around the world.
This paper proposed a use of the access control rules for RBAC security system that can be used as a basis for a common security service consisting in access controls based on user roles.
o Network Infrastructure Security, Angus Wong and Alan Yeung, Springer, 2009.
o ITIL Foundation – IT Service Management, Ernest Brewster, Richard Griffiths, Aidan Lawes, John Sansbury.
o Digital Transmission Systems, David R. Smith, 2003.
o Microsoft Knowledge Base: The OSI Model’s Seven Layers Defined and Functions Explained.
o Trusted Computer Security Evaluation Criteria, DOD 5200.28-STD. US Department of Defense, 1985.
Annex 1 – OSI Model
Layer Protocol data unit(PDU) Function Examples
layers 7. Application Data High-level APIs, including resource sharing, remote file access, directory services and virtual terminals Dot Net, Ftp, Library, SMTP web API, SSH.NET, SNMP, HTML Class, HTTP API server
6. Presentation Translation of data between a networking service and an application; including character encoding, data compression and encryption/decryption CSS, GIF, HTML, XML, JSON, S/MIME
5. Session Managing communication sessions, i.e. continuous exchange of information in the form of multiple back-and-forth transmissions between two nodes RPC, SCP, NFS, PAP,TLS, FTP, HTTP, HTTPS, SMTP, SSH, Telnet
4. Transport TCP/UDP Reliable transmission of data segments between points on a network, including segmentation, acknowledgement and multiplexing NBF, TCP, UDP
layers 3. Network Packet Structuring and managing a multi-node network, including addressing, routing and traffic control ICMP, IPsec, IPv4, IPv6
2. Data link Frame Reliable transmission of data frames between two nodes connected by a physical layer IEEE 802.2, L2TP, LLDP, MAC, MPLS
1. Physical Bit Transmission and reception of raw bit streams over a physical medium DOCSIS, DSL, Ethernet physical layer, ISDN, RS-232