7 Layer OSI Model

By Joshua Erdman
Digital Foundation, inc.

The 7 Layer OSI model is an extremely detailed diagram describing organization of data,
addressing schemes to help explain the logistics originally used when creating network
protocols (such as TCP/IP and IPX, etc). It is now used as a standard for network
addressing, data analysis, and describing network hardware capabilities (ex. layer 3
switch).

CLUE: You can think of the 7-layer OSI model as a diagram for mail delivery from the
Postal Service. This diagram is created with Extreme, almost rediculous detail:

EXAMPLE: Count the layers for you to recieve a letter via postal mail. The letter itself is
the Data that is being sent (layer 6). The letter is then addressed to the person (you - layer
5) then the street and address is listed (layer 4), then the city (layer 3), zip code (layer 2),
country (layer 1). When the letter arrives to the correct country the country layer is no
longer needed. The letter is then sent to the sorting area that will get it shipped to the
correct state, zip, and city. When the post office of that city recieves the letter, it will then
be sorted again to the correct postal employee who delivers the mail to the correct street.
When your house recieves the letter, it is your name on it that communicates that the
letter is intended for you. You open the envelope (stripping away all the lower layers)
because you really only care about the data (at the highest layer). This is very similar to
how data is sent via a network.

The 7 Layers
To perform network basics (port forwarding, NAT, packet filtering firewalls, etc) it is
important to have a good understanding of the first 3 network layers. As a network
adminsitrator, it is these layers that the equipment you deal with operate.

1. Physical
2. Link (Data Link)
3. Network
4. Transport
5. Session
6. Presentation
7. Application

The Physical Layer

The physical layer is the physical connections including the cables, Network Cards, and
devices that make up the network, Read our article on Network Wiring to learn about
running network wire and terminating each connection.
Data Link Layer

This layer is where the network packets are translated into raw bits (00110101) to be
transmitted on the physical layer. This is also a layer that uses the most basic addressing
scheme, MAC Addresses. For more information on MAC addresses, you can read the
article. This is the layer that also separates a switch from a hub. We have an article that
compares the two.

Since the main purpose of a MAC address is to provide a unique identifier for each host
this does not provide any means for routing or organizing the hosts that participate on a
network. If we only had MAC addresses and no IP addresses all routers and switches
would have to memorize ALL addresses available and the routes needed to get to the
destination. This would make the Internet extremely SLOW and all network devices
unbearably expensive because of the massive amounts of memory needed in creating
routing tables. Not to mention when you would add a new PC to the internet, it would
take a considerable amount of time for your MAC address and the path to your PC to
propogate throughout the internet.

This means that there is a need for another layer of addressing to group machines
together. The third layer is the Network Layer.

Network Layer

The network layer is responsible for logical addressing. It allows for grouping computers
together unlike the MAC address where there may be no similarity from one MAC
address to another.

Clue: Think of a MAC address like a person's diver's license number, it is just a number
that is unique from anyone else's. Now think of an IP address like a person's mailing
address. The mailing address group people into zones by using the zip code, city, state,
and street identifiers.

Now let's see how these layers work together:

Layers 1 - 3 Summary

When a network card recieves a stream of bits over the network, it receives the data from
the wires (the first layer), then the second layer is responsible for making sense of these
random 1s and 0s. The second layer first checks the destination MAC address in the
packet to make sure the data was intended for this computer. If the destination MAC
address matches the MAC address of the network card, the packet is then sent to the
computer's operating system, the rest of the layers (3 - 7).
TCP/IP
By Joshua Erdman
Digital Foundation, inc.

TCP/IP is a network protocol (other network protocols include netBEUI, IPX/SPX, and
Appletalk). To understand network protocols in gerneral, I highly recommend our article
on the
7-layer OSI reference Model.

TCP/IP Background
In the 90's before the Internet was extremely popular, networking protocols varied.
Typically the computers and operating systems that were a majority determined the
protocol that was used. An office with Macs would use AppleTalk, an office with a
Netware server would run IPX/SPX. Now that the Internet plays a HUGE role, today in
almost all forms of business the main protocol used is TCP/IP.

TCP/IP Basics
Addressing

An IP address is made up of 4 numbers ranging from 0 - 255, each number being

separated by a period (ex. 192.168.0.3). For a computer to participate on a TCP/IP
network, it must be assigned an IP address unique from all other computers on its local
network.

For much more detailed information, please read our article on TCP/IP addressing.

TCP/IP Ports

The Addressing scheme ensures that the data arrives at the intended destination, but it is
the TCP/IP ports that help define what service or purpose the traffic is for. For example
e-mail (SMTP) is port 25, web browsing (HTTP) is port 80 and for Secure web browsing
(HTTPS) it is port 443. Each network service will use its own port, many of these ports
are standard and assigned, these assigned ports are in the range from port 1 to 1023.
Network services and programs without an official assignment (such as network games
and file swapping programs) use ports scattered throughout the rest of the port range
(1024 - 65,5535).

Common Ports
The most common ports include:
 • 20;21 - FTP
• 22 - SSH
• 23 - Telnet
• 25 - SMTP
• 80 - HTTP
• 110 - POP3
• 143 - IMAP
• 443 - HTTPS
• 1701 - L2TP (UDP) - not compatible with NAT
• 1723 - PPTP (TCP)
• 3389 - MS Remote Desktop/Terminal Services
• 5631 & 5632 - pcAnywhere

For a complete list of IP Ports, please refer to: TCP/IP Port Reference.

CLUE: To better understand ports, think of your house as being the computer. The
mailing address of your house is like your computer's IP address. The TCP/IP ports for
your computer are like the different ways your house is accessed, such as your front door
for people, water and gas pipes and power lines for your utility sservices. Each of these
can be thought of as a port.
Application
(Layer 7) This layer supports application and end-user processes. Communication partners are
identified, quality of service is identified, user authentication and privacy are considered, and any
constraints on data syntax are identified. Everything at this layer is application-specific. This layer
provides application services for file transfers, e-mail, and other network software services. Telnet
and FTP are applications that exist entirely in the application level. Tiered application architectures are
part of this layer.
Presentation
(Layer 6) This layer provides independence from differences in data representation (e.g.,
encryption) by translating from application to network format, and vice versa. The presentation layer
works to transform data into the form that the application layer can accept. This layer formats and
encrypts data to be sent across a network, providing freedom from compatibility problems. It is
sometimes called the syntax layer.
Session
(Layer 5) This layer establishes, manages and terminates connections between applications.
The session layer sets up, coordinates, and terminates conversations, exchanges, and dialogues
between the applications at each end. It deals with session and connection coordination.
Transport
(Layer 4) This layer provides transparent transfer of data between end systems, or hosts, and
is responsible for end-to-end error recovery and flow control. It ensures complete data transfer.
Network
(Layer 3) This layer provides switching and routing technologies, creating logical paths, known as
virtual circuits, for transmitting data from node to node. Routing and forwarding are functions of
this layer, as well as addressing, internetworking, error handling, congestion control and packet
sequencing.
Data Link
(Layer 2) At this layer, data packets are encoded and decoded into bits. It furnishes
transmission protocol knowledge and management and handles errors in the physical layer, flow
control and frame synchronization. The data link layer is divided into two sub layers: The Media
Access Control (MAC) layer and the Logical Link Control (LLC) layer. The MAC sub layer controls
how a computer on the network gains access to the data and permission to transmit it. The LLC
layer controls frame synchronization, flow control and error checking.
Physical
(Layer 1) This layer conveys the bit stream - electrical impulse, light or radio signal -- through
the network at the electrical and mechanical level. It provides the hardware means of sending and
receiving data on a carrier, including defining cables, cards and physical aspects. Fast Ethernet,
RS232, and ATM are protocols with physical layer components.
VPN Tutorial
An introduction to VPN software, VPN hardware and
protocols
By Bradley Mitchell, About.com

The Virtual Private Network - VPN - has attracted the attention of many organizations
looking to both expand their networking capabilities and reduce their costs.

The VPN can be found in workplaces and homes, where they allow employees to safely
log into company networks. Telecommuters and those who travel often find a VPN a
more convenient way to stay connected to the corporate intranet. No matter your current
involvement with VPNs, this is a good technology to know something about. This VPN
tutorial involves many interesting aspects of network protocol design, Internet security,
network service outsourcing, and technology standards.

What Exactly Is A VPN?

A VPN supplies network connectivity over a possibly long physical distance. In this
respect, a VPN is a form of Wide Area Network (WAN).

The key feature of a VPN, however, is its ability to use public networks like the Internet
rather than rely on private leased lines. VPN technologies implement restricted-access
networks that utilize the same cabling and routers as a public network, and they do so
without sacrificing features or basic security.

A VPN supports at least three different modes of use:

• Remote access client connections

• LAN-to-LAN internetworking
• Controlled access within an intranet

Read more - About VPN Applications

VPN Pros and Cons

Like many commercialized network technologies, a significant amount of sales and

marketing hype surrounds VPN. In reality, VPNs provide just a few specific potential
advantages over more traditional forms of wide-area networking. These advantages can
be significant, but they do not come for free.

The potential problems with the VPN outnumber the advantages and are generally more
difficult to understand. The disadvantages do not necessarily outweigh the advantages,
however. From security and performance concerns, to coping with a wide range of
sometimes incompatible vendor products, the decision of whether or not to use a VPN
cannot be made without significant planning and preparation.

Read more - Advantages and Disadvantages of VPNs

Technology Behind VPNs

Several network protocols have become popular as a result of VPN developments:

• PPTP
• L2TP
• IPsec
• SOCKS

These protocols emphasize authentication and encryption in VPNs. Authentication allows

VPN clients and servers to correctly establish the identity of people on the network.
Encryption allows potentially sensitive data to be hidden from the general public.

Many vendors have developed VPN hardware and/or software products. Unfortunately,
immature VPN standards mean that some of these products remain incompatible with
each other.

Read more - VPN Technologies

The Future of VPN

Virtual private networks have grown in popularity as businesses to save money on remote
network access for employees. Many corporations have also adopted VPNs as a security
solution for private Wi-Fi wireless networks. Expect a continued gradual expansion in
use of VPN technology to continue in the coming years.

What Is a VPN?
VPN Solutions and Key Features
A VPN supplies network connectivity over a possibly long physical distance. In this
respect, a VPN is a form of Wide Area Network (WAN). VPNs enable file sharing, video
conferencing and similar network services. Virtual private networks generally don't
provide any new functionality that isn't already offered through alternative mechanisms,
but a VPN implements those services more efficiently / cheaply in most cases.
A key feature of a VPN is its ability to work over both private networks as well as public
networks like the Internet. Using a method called tunneling, a VPN use the same
hardware infrastructure as existing Internet or intranet links. VPN technologies includes
various security mechanisms to protect the virtual, private connections.

Specifically, a VPN supports at least three different modes of use:

• Internet remote access client connections

• LAN-to-LAN internetworking
• Controlled access within an intranet

Internet VPNs for Remote Access

In recent years, many organizations have increased the mobility of their workers by
allowing more employees to telecommute. Employees also continue to travel and face a
growing need to stay connected to their company networks.

A VPN can be set up to support remote, protected access to the corporate home offices
over the Internet. An Internet VPN solution uses a client/server design works as follows:

1. A remote host (client) wanting to log into the company network first connects
to any public Internet Service Provider (ISP).

2. Next, the host initiates a VPN connection to the company VPN server. This
connection is made via a VPN client installed on the remote host.

3. Once the connection has been established, the remote client can communicate
with the internal company systems over the Internet just as if it were a local host.
Before VPNs, remote workers accessed company networks over private leased lines or
through dialup remote access servers. While VPN clients and servers careful require
installation of hardware and software, an Internet VPN is a superior solution in many
situations.

VPNs for Internetworking

Besides using virtual private networks for remote access, a VPN can also bridge two
networks together. In this mode of operation, an entire remote network (rather than just a
single remote client) can join to a different company network to form an extended
intranet. This solution uses a VPN server to VPN server connection.

Intranet / Local Network VPNs

Internal networks may also utilize VPN technology to implement controlled access to
individual subnets within a private network. In this mode of operation, VPN clients
connect to a VPN server that acts as the network gateway.
This type of VPN use does not involve an Internet Service Provider (ISP) or public
network cabling. However, it allows the security benefits of VPN to be deployed inside
an organization. This approach has become especially popular as a way for businesses to
protect their WiFi local networks.

Question: What Are the Advantages and Benefits of a VPN?

A VPN - Virtual Private Network - is one solution to establishing long-distance and/or
secured network connections. VPNs are normally implemented (deployed) by businesses
or organizations rather than by individuals, but virtual networks can be reached from
inside a home network. Compared to other technologies, VPNs offers several advantages,
particularly benefits for wireless local area networking.

Answer: For an organization looking to provide a secured network infrastructure for its
client base, a VPN offers two main advantages over alternative technologies: cost
savings, and network scalability. To the clients accessing these networks, VPNs also
bring some benefits of ease of use.

Cost Savings with a VPN

A VPN can save an organization money in several situations:

• eliminating the need for expensive long-distance leased lines

• reducing long-distance telephone charges
• offloading support costs

VPNs vs leased lines - Organizations historically needed to rent network capacity such
as T1 lines to achieve full, secured connectivity between their office locations. With a
VPN, you use public network infrastructure including the Internet to make these
connections and tap into that virtual network through much cheaper local leased lines or
even just broadband connections to a nearby Internet Service Provider (ISP).

Long distance phone charges - A VPN also can replace remote access servers and long-
distance dialup network connections commonly used in the past by business travelers
needing to access to their company intranet. For example, with an Internet VPN, clients
need only connect to the nearest service provider's access point that is usually local.

Support costs - With VPNs, the cost of maintaining servers tends to be less than other
approaches because organizations can outsource the needed support from professional
third-party service providers. These provides enjoy a much lower cost structure through
economy of scale by servicing many business clients.

VPN Network Scalability

The cost to an organization of building a dedicated private network may be reasonable at
first but increases exponentially as the organization grows. A company with two branch
offices, for example, can deploy just one dedicated line to connect the two locations, but
4 branch offices require 6 lines to directly connect them to each other, 6 branch offices
need 15 lines, and so on.

Internet based VPNs avoid this scalability problem by simply tapping into the the public
lines and network capability readily available. Particularly for remote and international
locations, an Internet VPN offers superior reach and quality of service.

Using a VPN

To use a VPN, each client must possess the appropriate networking software or hardware
support on their local network and computers. When set up properly, VPN solutions are
easy to use and sometimes can be made to work automatically as part of network sign on.

VPN technology also works well with WiFi local area networking. Some organizations
use VPNs to secure wireless connections to their local access points when working inside
the office. These solutions provide strong protection without affecting performance
excessively.

Limitations of a VPN

Despite their popularity, VPNs are not perfect and limitations exist as is true for any
technology. Organizations should consider issues like the below when deploying and
using virtual private networks in their operations:
1. VPNs require detailed understanding of network security issues and careful
installation / configuration to ensure sufficient protection on a public network like
the Internet.

2. The reliability and performance of an Internet-based VPN is not under an

organization's direct control. Instead, the solution relies on an ISP and their
quality of service.

3. Historically, VPN products and solutions from different vendors have not
always been compatible due to issues with VPN technology standards.
Attempting to mix and match equipment may cause technical problems, and using
equipment from one provider may not give as great a cost savings.
VPN Tunneling
Virtual Private Networks Tutorial
Virtual private network technology is based on the idea of tunneling. VPN tunneling
involves establishing and maintaining a logical network connection (that may contain
intermediate hops). On this connection, packets constructed in a specific VPN protocol
format are encapsulated within some other base or carrier protocol, then transmitted
between VPN client and server, and finally de-encapsulated on the receiving side.

For Internet-based VPNs, packets in one of several VPN protocols are encapsulated
within Internet Protocol (IP) packets. VPN protocols also support authentication and
encryption to keep the tunnels secure.

Types of VPN Tunneling

VPN supports two types of tunneling - voluntary and compulsory. Both types of
tunneling are commonly used.

In voluntary tunneling, the VPN client manages connection setup. The client first makes
a connection to the carrier network provider (an ISP in the case of Internet VPNs). Then,
the VPN client application creates the tunnel to a VPN server over this live connection.

In compulsory tunneling, the carrier network provider manages VPN connection setup.
When the client first makes an ordinary connection to the carrier, the carrier in turn
immediately brokers a VPN connection between that client and a VPN server. From the
client point of view, VPN connections are set up in just one step compared to the two-
step procedure required for voluntary tunnels.

Compulsory VPN tunneling authenticates clients and associates them with specific VPN
servers using logic built into the broker device. This network device is sometimes called
the VPN Front End Processor (FEP), Network Access Server (NAS) or Point of Presence
Server (POS). Compulsory tunneling hides the details of VPN server connectivity from
the VPN clients and effectively transfers management control over the tunnels from
clients to the ISP. In return, service providers must take on the additional burden of
installing and maintaining FEP devices.

VPN Tunneling Protocols

Several computer network protocols have been implemented specifically for use with
VPN tunnels. The three most popular VPN tunneling protocols listed below continue to
compete with each other for acceptance in the industry. These protocols are generally
incompatible with each other.

Point-to-Point Tunneling Protocol (PPTP)

Several corporations worked together to create the PPTP specification. People generally
associate PPTP with Microsoft because nearly all flavors of Windows include built-in
client support for this protocol. The initial releases of PPTP for Windows by Microsoft
contained security features that some experts claimed were too weak for serious use.
Microsoft continues to improve its PPTP support, though.

More - About PPTP

Layer Two Tunneling Protocol (L2TP)

The original competitor to PPTP for VPN tunneling was L2F, a protocol implemented
primarily in Cisco products. In an attempt to improve on L2F, the best features of it and
PPTP were combined to create new standard called L2TP. Like PPTP, L2TP exists at the
data link layer (Layer Two) in the OSI model -- thus the origin of its name.

Internet Protocol Security (IPsec)

IPsec is actually a collection of multiple related protocols. It can be used as a complete

VPN protocol solution, or it can used simply as the encryption scheme within L2TP or
PPTP. IPsec exists at the network layer (Layer Three) of the OSI model.

Introduction to PPTP - Point-to-Point Tunneling Protocol

Previous page > About VPN Tunneling

PPTP - Point-to-Point Tunneling Protocol - extends the Point to Point Protocol (PPP)
standard for traditional dial-up networking. PPTP is best suited for the remote access
applications of VPNs, but it also supports LAN internetworking. PPTP operates at
Layer 2 of the OSI model. (See below)

Using PPTP
PPTP packages data within PPP packets, then encapsulates the PPP packets within IP
packets (datagrams) for transmission through an Internet-based VPN tunnel. PPTP
supports data encryption and compression of these packets. PPTP also uses a form of
General Routing Encapsulation (GRE) to get data to and from its final
destination.

PPTP-based Internet remote access VPNs are by far the most common form of PPTP
VPN. In this environment, VPN tunnels are created via the following two-step
process:

1. The PPTP client connects to their ISP using PPP dial-up networking
(traditional modem or ISDN).

2. Via the broker device (described earlier), PPTP creates a TCP control
connection between the VPN client and VPN server to establish a tunnel.
PPTP uses TCP port 1723 for these connections.
PPTP also supports VPN connectivity via a LAN. ISP connections are not required in
this case, so tunnels can be created directly as in Step 2 above.

Once the VPN tunnel is established, PPTP supports two types of information flow:

• control messages for managing and eventually tearing down the VPN
connection. Control messages pass directly between VPN client and server.
• data packets that pass through the tunnel, to or from the VPN client

PPTP Control Connection

Once the TCP connection is established in Step 2 above, PPTP utliizes a series of
control messages to maintain VPN connections. These messages are listed below.
Number Name Description
Initiates setup of the VPN session; can be sent by
1 StartControlConnectionRequest
either client or server.
Sent in reply to the start connection request (1);
contains result code indicating success or failure of
2 StartControlConnectionReply
the setup operation, and also the protocol version
number.
3 StopControlConnectionRequest Request to close the control connection.
Sent in reply to the stop connection request (3);
4 StopControlConnectionReply contains result code indicating success or failure of
the close operation.
Sent periodically by either client or server to "ping"
5 EchoRequest
the connection (keep alive).
Sent in response to the echo request (5) to keep the
6 EchoReply
connection active.
7 OutgoingCallRequest Request to create a VPN tunnel sent by the client.
Response to the call request (7); contains a unique
8 OutgoingCallReply
identifier for that tunnel.
Request from a VPN client to receive an incoming
9 IncomingCallRequest
call from the server.
Response to the incoming call request (9), indicating
10 IncomingCallReply
whether the incoming call should be answered.
Response to the incoming call reply (10); provides
11 IncomingCallConnected
additional call parameters to the VPN server.
Request to disconnect either an incoming or
12 CallClearRequest
outgoing call, sent from the server to a client.
Response to the disconnect request (12); sent back to
13 CallDisconnectNotify
the server.
Notification periodically sent to the server of CRC,
14 WANErrorNotify framing, hardware and buffer overruns, timeout and
byte alignment errors.
Notification of changes in the underlying PPP
15 SetLinkInfo
options.
With control messages, PPTP utlizes a so-called magic cookie. The PPTP magic
cookie is hardwired to the hexadecimal number 0x1A2B3C4D. The purpose of this
cookie is to ensure the receiver interprets the incoming data on the correct byte
boundaries.

PPTP Security
PPTP supports authentication, encryption, and packet filtering. PPTP
authentication uses PPP-based protocols like EAP, CHAP, and PAP. PPTP supports
packet filtering on VPN servers. Intermediate routers and other firewalls can also be
configured to selectively filter PPTP traffic.

PPTP and PPP

In general, PPTP relies on the functionality of PPP for these aspects of virtual private
networking.

• authenticating users and maintaining the remote dial-up connection

• encapsulating and encrypting IP, IPX, or NetBEUI packets

PPTP directly handles maintaining the VPN tunnel and transmitting data through the
tunnel. PPTP also supports some additional security features for VPN data beyond
what PPP provides.

PPTP Pros and Cons

PPTP remains a popular choice for VPNs thanks to Microsoft. PPTP clients are freely
available in all popular versions of Microsoft Windows. Windows servers also can
function as PPTP-based VPN servers.

One drawback of PPTP is its failure to choose a single standard for authentication and
encryption. Two products that both fully comply with the PPTP specification may be
totally incompatible with each other if they encrypt data differently, for example.
Concerns also persist over the questionable level of security PPTP provides compared to
alternatives.