OSI Security Architecture - Part 2#
Unit I: Introduction to Cyber Security & Cryptography#
Lecture 6: Upper Layers Security (5-7)#
Course: Cyber Security (4353204) | Semester V | Diploma ICT | Author: Milav Dabgar
layout: default#
Recap: Lower Layers (1-4) Security#
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: default#
Layer 5: Session Layer Security#
๐ฌ Session Layer Overview#
๐ฏ Core Functions#
- Session establishment and termination
- Dialog control (duplex management)
- Session checkpointing and recovery
- Session synchronization
- Token management for exclusive access
๐ง Key Responsibilities#
- Manage conversations between applications
- Coordinate data exchange
- Handle session failures and recovery
- Provide synchronization points
๐ Session Types#
- Simplex - One-way communication
- Half-duplex - Two-way, alternating
- Full-duplex - Simultaneous two-way
๐จ Session Layer Threats#
๐ญ Session Management Attacks#
- Session hijacking - Taking over active sessions
- Session fixation - Forcing known session IDs
- Session replay - Reusing captured sessions
- Cross-site request forgery (CSRF)
- Session timeout exploitation
๐ Authentication Bypass#
- Session token prediction
- Weak session management
- Concurrent session abuse
- Session state manipulation
๐ Session Information Disclosure#
- Session ID leakage in URLs
- Unencrypted session data
- Session storage vulnerabilities
- Cross-domain session sharing
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: default#
Session Layer: Security Implementation#
๐ Session Security Best Practices#
๐ฏ Secure Session Management#
- Strong session ID generation
- Session expiration policies
- Secure session storage
- Session invalidation on logout
- Concurrent session control
๐ Session Token Security#
import secrets
import hashlib
import time
def generate_secure_session_id():
# Cryptographically secure random generation
random_part = secrets.token_hex(16)
timestamp = str(int(time.time()))
user_info = get_user_context()
# Combine with server secret
session_data = f"{random_part}:{timestamp}:{user_info}"
session_id = hashlib.sha256(session_data.encode()).hexdigest()
return session_id
โฐ Session Lifecycle Management#
- Creation with strong entropy
- Validation on each request
- Renewal for long sessions
- Destruction on logout/timeout
๐ก๏ธ Session Protection Mechanisms#
๐ง Technical Controls#
- HTTPS-only session cookies
- HttpOnly flag prevents XSS access
- Secure flag for encrypted transmission
- SameSite attribute for CSRF protection
- Session binding to IP/User-Agent
๐ Session Monitoring#
// Session anomaly detection
class SessionMonitor {
detectAnomalies(sessionData) {
const anomalies = [];
// IP address changes
if (sessionData.currentIP !== sessionData.originalIP) {
anomalies.push('IP_CHANGE');
}
// Unusual access patterns
if (sessionData.requestRate > THRESHOLD) {
anomalies.push('HIGH_RATE');
}
// Concurrent sessions
if (sessionData.concurrentSessions > MAX_SESSIONS) {
anomalies.push('TOO_MANY_SESSIONS');
}
return anomalies;
}
}
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: default#
Layer 6: Presentation Layer Security#
๐จ Presentation Layer Overview#
๐ฏ Core Functions#
- Data format translation
- Encryption and decryption
- Data compression
- Character encoding conversion
- Data structure formatting
๐ Data Transformations#
- ASCII/Unicode encoding
- Image/Video format conversion
- Compression algorithms (ZIP, GZIP)
- Serialization (JSON, XML, Binary)
- Protocol buffer encoding
๐ Security Services#
- Symmetric encryption (AES, 3DES)
- Asymmetric encryption (RSA, ECC)
- Digital signatures
- Certificate management
- Key exchange protocols
โ ๏ธ Presentation Layer Threats#
๐ Encryption Weaknesses#
- Weak cryptographic algorithms
- Poor key management
- Implementation vulnerabilities
- Side-channel attacks
- Cryptographic oracle attacks
๐ Data Format Attacks#
- XML injection attacks
- JSON parsing vulnerabilities
- Serialization attacks
- Buffer overflow in parsers
- Zip bomb attacks
๐ญ Protocol Manipulation#
- SSL stripping attacks
- Downgrade attacks
- Certificate spoofing
- Man-in-the-middle TLS
- Compression attacks (CRIME, BREACH)
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: default#
Presentation Layer: TLS/SSL Security#
๐ TLS Handshake Process#
sequenceDiagram
participant C as Client
participant S as Server
C->>S: ClientHello (versions, ciphers, random)
S->>C: ServerHello (chosen cipher, random)
S->>C: Certificate (server cert)
S->>C: ServerHelloDone
C->>S: ClientKeyExchange (pre-master secret)
C->>S: ChangeCipherSpec
C->>S: Finished (encrypted)
S->>C: ChangeCipherSpec
S->>C: Finished (encrypted)
Note over C,S: Secure Communication
๐ Security Features#
- Server authentication via certificates
- Data encryption with symmetric keys
- Data integrity with MAC
- Perfect forward secrecy
๐ก๏ธ TLS Security Best Practices#
๐ Cipher Suite Selection#
Recommended Ciphers:
- TLS_AES_256_GCM_SHA384 (TLS 1.3)
- TLS_CHACHA20_POLY1305_SHA256 (TLS 1.3)
- TLS_AES_128_GCM_SHA256 (TLS 1.3)
- ECDHE-RSA-AES256-GCM-SHA384 (TLS 1.2)
- ECDHE-RSA-CHACHA20-POLY1305 (TLS 1.2)
Avoid:
- RC4 (broken)
- 3DES (weak)
- MD5 (collision attacks)
- Export ciphers (weak)
๐ง Implementation Security#
- Strong certificate validation
- Certificate pinning for mobile apps
- HSTS (HTTP Strict Transport Security)
- OCSP stapling for revocation
- Regular certificate rotation
๐จ Common TLS Vulnerabilities#
- POODLE - SSL 3.0 padding oracle
- BEAST - CBC cipher vulnerability
- HEARTBLEED - OpenSSL buffer overflow
- FREAK - Export cipher downgrade
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: default#
Layer 7: Application Layer Security#
๐ Application Layer Overview#
๐ฏ Core Functions#
- User interface to network services
- Application protocols (HTTP, SMTP, FTP)
- Data presentation to users
- Network service access
- Application-specific logic
๐ Common Protocols#
- HTTP/HTTPS - Web browsing
- SMTP/POP/IMAP - Email services
- FTP/SFTP - File transfer
- DNS - Name resolution
- DHCP - IP configuration
- SNMP - Network management
๐ง Application Types#
- Web applications
- Email clients
- File transfer tools
- Remote access applications
- Network management tools
๐จ Application Layer Threats#
๐ Web Application Attacks#
- SQL injection - Database manipulation
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Remote code execution (RCE)
- File inclusion vulnerabilities
๐ง Email-Based Attacks#
- Phishing and spear phishing
- Email spoofing
- Malware attachments
- Business email compromise (BEC)
- Email bombing
๐ Protocol-Specific Attacks#
- HTTP response splitting
- DNS poisoning
- FTP bounce attacks
- SMTP relay abuse
- SNMP community string attacks
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: default#
Application Layer: OWASP Top 10 Security Risks#
๐ OWASP Top 10 (2021)#
1. A01: Broken Access Control#
- Vertical privilege escalation
- Horizontal privilege escalation
- Missing access controls
- CORS misconfigurations
2. A02: Cryptographic Failures#
- Weak encryption algorithms
- Poor key management
- Unencrypted sensitive data
- Weak random number generation
3. A03: Injection#
- SQL injection
- NoSQL injection
- LDAP injection
- Command injection
4. A04: Insecure Design#
- Threat modeling gaps
- Secure design principles ignored
- Missing security controls
5. A05: Security Misconfiguration#
- Default credentials unchanged
- Unnecessary features enabled
- Missing security headers
- Verbose error messages
6. A06: Vulnerable Components#
- Outdated libraries
- Known vulnerabilities
- Unsupported components
7. A07: Authentication Failures#
- Weak password policies
- Session management flaws
- Brute force vulnerabilities
8. A08: Software Integrity Failures#
- Untrusted sources
- Missing integrity checks
- Supply chain attacks
9. A09: Logging/Monitoring Failures#
10. A10: Server-Side Request Forgery#
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: default#
Application Security: Input Validation#
๐ Input Validation Principles#
๐ฏ Validation Strategies#
- Allow-list (whitelist) approach
- Input sanitization
- Length restrictions
- Type validation
- Format validation
- Boundary checking
๐ Common Input Sources#
- User forms and fields
- URL parameters
- HTTP headers
- Cookies
- File uploads
- API requests
โ Validation Best Practices#
- Server-side validation (never trust client)
- Early validation at entry points
- Consistent validation across application
- Error handling without information leakage
๐ก๏ธ SQL Injection Prevention#
โ Vulnerable Code#
// DON'T DO THIS - SQL Injection vulnerable
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username = '$username'
AND password = '$password'";
$result = mysql_query($query);
// Attacker input: username = admin' --
// Result: SELECT * FROM users WHERE username = 'admin' --
โ Secure Implementation#
// Secure approach using prepared statements
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?
AND password = ?");
$stmt->execute([$username, $hashed_password]);
$result = $stmt->fetch();
// Additional validation
function validateInput($input, $type) {
switch($type) {
case 'username':
return preg_match('/^[a-zA-Z0-9_]{3,20}$/', $input);
case 'email':
return filter_var($input, FILTER_VALIDATE_EMAIL);
}
}
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: default#
Cross-Site Scripting (XSS) Prevention#
๐ญ Types of XSS Attacks#
1. Reflected XSS#
- User input reflected in response
- Immediate execution
- Social engineering required
- URL-based attacks
2. Stored XSS#
- Malicious script stored on server
- Persistent across sessions
- Affects multiple users
- Most dangerous type
3. DOM-based XSS#
- Client-side code vulnerability
- JavaScript manipulation
- No server involvement
- Difficult to detect
๐ก๏ธ XSS Prevention Techniques#
๐ Output Encoding#
// HTML Entity Encoding
function htmlEncode(str) {
return str.replace(/[&<>"']/g, function(match) {
return {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": '''
}[match];
});
}
// Safe DOM manipulation
const safeDiv = document.createElement('div');
safeDiv.textContent = userInput; // Safe - no HTML parsing
document.body.appendChild(safeDiv);
๐ง Security Headers#
Content-Security-Policy: default-src 'self';
script-src 'self' 'unsafe-inline'
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
๐ Input Validation#
- Allow-list of safe characters
- Length restrictions
- Context-aware encoding
- Regular expression validation
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: default#
Secure Application Architecture#
๐๏ธ Security Architecture Patterns#
๐ก๏ธ Defense in Depth#
graph TB
A[Web Application Firewall] --> B[Load Balancer]
B --> C[Web Server]
C --> D[Application Server]
D --> E[Database Server]
F[Network Firewall] --> A
G[DDoS Protection] --> F
style A fill:#e3f2fd
style C fill:#f3e5f5
style D fill:#e8f5e8
style E fill:#fff3e0
๐ Zero Trust Model#
- Never trust, always verify
- Least privilege access
- Microsegmentation
- Continuous monitoring
- Context-aware access
๐ Secure Development Lifecycle#
- Security requirements gathering
- Threat modeling
- Secure coding practices
- Security testing
- Deployment security
๐ง Application Security Controls#
๐ฏ Preventive Controls#
- Input validation
- Output encoding
- Authentication mechanisms
- Authorization systems
- Secure communications (HTTPS)
๐ Detective Controls#
- Application monitoring
- Log analysis
- Intrusion detection
- Vulnerability scanning
- Security information correlation
๐จ Corrective Controls#
- Incident response procedures
- Backup and recovery
- Patch management
- Configuration management
- Emergency procedures
๐ Security Metrics#
- Vulnerability density
- Time to patch
- Authentication success rates
- Security incident frequency
- User security awareness
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: default#
OSI Security Integration#
๐ End-to-End Security#
๐ Multi-Layer Protection Matrix#
| Layer | Security Focus | Key Protocols | Main Threats |
|---|---|---|---|
| 7 - Application | Input validation, authentication | HTTP/S, SMTP | Injection, XSS |
| 6 - Presentation | Encryption, data formats | TLS, SSL | Weak crypto, parsing |
| 5 - Session | Session management | NetBIOS, RPC | Session hijacking |
| 4 - Transport | Reliable delivery | TCP, UDP | SYN floods, hijacking |
| 3 - Network | Routing, addressing | IP, IPSec | Spoofing, routing |
| 2 - Data Link | Local delivery | Ethernet, Wi-Fi | MAC flooding, wireless |
| 1 - Physical | Signal transmission | Fiber, copper | Tapping, physical access |
๐ฏ Security Integration Principles#
- Complementary controls at each layer
- Consistent security policies
- Coordinated incident response
- Unified monitoring and management
๐ก๏ธ Comprehensive Security Strategy#
๐ Security Architecture Checklist#
- Physical security perimeter
- Network segmentation and firewalls
- Secure protocols (TLS, IPSec)
- Strong authentication and authorization
- Input validation and output encoding
- Security monitoring and logging
- Incident response procedures
- Regular security assessments
๐ Continuous Security Process#
graph LR
A[Plan] --> B[Implement]
B --> C[Monitor]
C --> D[Assess]
D --> E[Improve]
E --> A
style A fill:#e3f2fd
style B fill:#f3e5f5
style C fill:#e8f5e8
style D fill:#fff3e0
style E fill:#fce4ec
๐ก Success Factors#
- Executive support
- Security awareness training
- Regular updates and patches
- Third-party risk management
- Compliance monitoring
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: default#
Practical Exercise: Complete OSI Security Design#
๐ฏ Group Activity (25 minutes)#
Scenario: E-Commerce Platform Security Design#
Your team must design comprehensive security for an e-commerce platform with:
- Customer web interface (online shopping)
- Mobile applications (iOS/Android)
- Payment processing system
- Admin dashboard for management
- API interfaces for partners
- Database servers with customer/product data
Task: Design Security for All 7 OSI Layers#
Create a security architecture covering:
Upper Layers (Today’s Focus):
- Layer 7 (Application): Web app security, API security, input validation
- Layer 6 (Presentation): TLS implementation, data encryption, certificate management
- Layer 5 (Session): Session management, authentication, user state
Lower Layers (Previous Lecture):
- Layer 4 (Transport): TCP/UDP security, port management
- Layer 3 (Network): Network segmentation, firewall rules
- Layer 2 (Data Link): Switch security, VLAN implementation
- Layer 1 (Physical): Facility security, cable protection
Deliverables:
- Security control for each layer
- Integration strategy between layers
- Monitoring approach for each layer
- Incident response plan
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: default#
Common OSI Security Mistakes#
โ Frequent Errors#
Layer-Specific Mistakes#
- Physical: Ignoring environmental security
- Data Link: Default VLAN configurations
- Network: Overly permissive firewall rules
- Transport: Ignoring UDP security
- Session: Weak session management
- Presentation: Weak encryption implementation
- Application: Insufficient input validation
Integration Problems#
- Security gaps between layers
- Inconsistent policies across layers
- Poor monitoring coordination
- Inadequate incident response integration
โ Best Practices#
Design Principles#
- Start with physical security foundation
- Build security into each layer
- Implement defense in depth
- Regular security assessments
- Staff training on all layers
Implementation Guidelines#
- Document security architecture
- Test security controls regularly
- Monitor all layers continuously
- Update security controls as needed
- Integrate with business processes
Success Metrics#
- Reduced security incidents
- Faster incident detection
- Improved compliance
- Lower security costs
- Better user experience
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: default#
Next Lecture Preview#
๐ Lecture 7: Introduction to Cryptography#
๐ฏ Focus Topics:#
- Cryptography fundamentals
- Symmetric encryption algorithms
- Asymmetric encryption systems
- Key management principles
- Digital signatures and certificates
- Cryptographic applications
๐ Preparation Tasks:#
- Review mathematical basics (modular arithmetic)
- Research historical encryption methods
- Think about data protection needs
- Consider key distribution challenges
๐ Key Takeaways Today#
OSI Upper Layers Security#
- Session layer manages communication state
- Presentation layer handles encryption and data formats
- Application layer faces the most diverse threats
- Integration across all layers is essential
Critical Security Concepts#
- Defense in depth applies to network architecture
- Each layer has unique security responsibilities
- Application security requires comprehensive approach
- End-to-end security needs all layers working together
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: center class: text-center#
Questions & Discussion#
๐ค Discussion Points:#
- Which upper layer presents the biggest security challenges?
- How do you balance security with application performance?
- What are the most critical application security controls?
๐ก Exercise Review#
Share your comprehensive OSI security designs
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar
layout: center class: text-center#
Thank You!#
Next Lecture: Introduction to Cryptography#
The Foundation of Modern Security#
Cyber Security (4353204) - Lecture 6 Complete
From physical to application - security at every layer! ๐๏ธ๐
Course: Cyber Security (4353204) | Unit I | Lecture 6 | Author: Milav Dabgar