OSI & TCP/IP Models for CISSP Domain 4 | SkillAssess
cisspCommunication and Network Security· 10 min read· 17 May 2026
OSI vs TCP/IP Models: How CISSP Tests Them (And Why It's Not Just Memorisation)
The OSI and TCP/IP models are the foundational frameworks for understanding how network communications are structured and where security controls operate. The CISSP exam does not test whether you can recite all seven OSI layer names in order — it tests whether you understand what happens at each layer, what attacks target each layer, and which controls defend at each layer. This applied understanding is the difference between passing and failing Domain 4 questions.
The OSI Model: Seven Layers of Communication
The Open Systems Interconnection (OSI) model is a conceptual framework that standardises the functions of a communication system into seven distinct layers. Each layer serves the layer above it and is served by the layer below it.
Layer 7 – Application: the layer closest to the end user. It provides the interface between the network and applications. Protocols at this layer include HTTP/HTTPS, SMTP, FTP, DNS, and LDAP. Security controls at Layer 7 include web application firewalls (WAF), application proxies, and URL filtering. Attacks at Layer 7 include SQL injection, cross-site scripting (XSS), and application-layer DDoS attacks that target specific functionality.
Layer 6 – Presentation: responsible for data translation, encryption, and compression. It ensures that data from the application layer is in a format that can be understood by the receiving application. SSL/TLS encryption is often conceptually placed at this layer (though in practice it spans layers 4-7). Encoding and format conversions (ASCII, Unicode, EBCDIC) occur here.
Layer 5 – Session: manages the establishment, maintenance, and termination of sessions between applications. Protocols include NetBIOS and RPC. Session hijacking attacks target this layer — an attacker takes over an established session by stealing the session token.
Layer 4 – Transport: provides end-to-end communication services for applications. It handles segmentation, flow control, and error correction. The two primary transport protocols are TCP (reliable, connection-oriented) and UDP (unreliable, connectionless). Security controls at Layer 4 include firewalls that filter by port (transport layer firewall), and TLS which operates at this layer for transport security. Attacks include SYN floods (consuming TCP connection state to exhaust server resources) and port scanning.
Layer 3 – Network: responsible for logical addressing and routing. IP (Internet Protocol) — both IPv4 and IPv6 — operates at this layer. Security controls include routers with access control lists (ACLs), IPSec (which operates at Layer 3), and network-layer firewalls. Attacks include IP spoofing, routing protocol attacks (BGP hijacking), and network-layer DDoS (ICMP floods, Smurf attacks).
Layer 2 – Data Link: provides node-to-node data transfer and handles error detection. This layer manages physical addressing (MAC addresses) and access to the shared physical medium. Protocols include Ethernet, 802.11 (Wi-Fi), and PPP. Security controls include 802.1X (port-based network access control). Attacks include ARP poisoning (associating the attacker's MAC address with a legitimate IP), MAC flooding (overwhelming switch CAM tables), and VLAN hopping.
Layer 1 – Physical: the actual physical medium of the network — cables, radio waves, optical fibre. Security at this layer is physical security: preventing access to cables and devices, protecting against electromagnetic interference. Attacks include wire tapping, physical cable cutting, and jamming (disrupting wireless communications).
For the exam: the most tested layers are 3 (IP, routing, IPSec), 4 (TCP/UDP, port-based firewalls, TLS), and 7 (application protocols, WAF). Layer 2 attacks (ARP poisoning, VLAN hopping) also appear in network security questions.
TCP/IP Model vs OSI Model
The TCP/IP model (also called the Internet model) is the practical model used in real-world networking. It has four layers that map to the OSI model.
The Application layer in TCP/IP maps to OSI Layers 5, 6, and 7 (Session, Presentation, Application). It handles everything from application protocols (HTTP, DNS, SMTP) down to session management and data encoding.
The Transport layer in TCP/IP maps to OSI Layer 4. It handles TCP and UDP.
The Internet layer in TCP/IP maps to OSI Layer 3. It handles IP, ICMP, and routing.
The Network Access layer (also called Link layer) in TCP/IP maps to OSI Layers 1 and 2. It handles physical transmission and data link protocols.
For the exam: the OSI model is the theoretical reference for identifying where attacks and controls operate. The TCP/IP model is the practical reality of how networks function. Questions may ask about both, and knowing the mapping between them prevents confusion when a question describes a TCP/IP layer using OSI terminology or vice versa.
Where Security Controls Operate: Layer Mapping
A critical exam skill is knowing which security controls operate at which OSI layer.
Packet-filtering firewalls operate at Layer 3 (and Layer 4 for port filtering). They make decisions based on IP addresses and port numbers.
Stateful inspection firewalls operate at Layers 3 and 4. They track the state of connections and make decisions based on whether a packet is part of an established, authorised session.
Application-layer firewalls (proxy firewalls, WAFs) operate at Layer 7. They inspect the content of application-layer data and can detect application-layer attacks that packet filters cannot see.
IPSec operates at Layer 3, protecting IP packets. It is transparent to applications and can protect all traffic between two endpoints regardless of application protocol.
TLS operates between Layers 4 and 7, protecting data above the transport layer. Applications must be TLS-aware to use it.
SSH operates at Layer 7, providing secure remote terminal access and tunnelling.
802.1X operates at Layer 2, providing port-based network access control — requiring authentication before a device can communicate on the network at all.
IPv4 vs IPv6: Security Implications
IPv6 was designed to replace IPv4 and address its limitations, particularly address exhaustion. From a security perspective, IPv6 introduces both improvements and new challenges.
IPv6 improvements: IPSec was designed as mandatory for IPv6 (though in practice its use is still optional in most implementations). IPv6 eliminates broadcast (replacing it with multicast), reducing exposure to broadcast-based attacks. IPv6 does not use ARP (replaced by Neighbor Discovery Protocol, NDP), though NDP has its own vulnerabilities.
IPv6 security challenges: many organisations have deployed IPv6 without adequately securing it. Dual-stack environments (running both IPv4 and IPv6) create complexity because security controls must cover both protocol stacks. IPv6 tunnelling over IPv4 (6to4, Teredo) can bypass security controls that only inspect IPv4 traffic. NDP spoofing is the IPv6 equivalent of ARP poisoning.
For the exam: the key IPv6 point is that organisations running dual-stack must secure both protocol stacks. Security controls that only inspect IPv4 may be bypassed by tunnelling attacks that encapsulate IPv6 traffic within IPv4.
Protocol Vulnerabilities by Layer
The exam tests protocol vulnerabilities in the context of the OSI layer at which they operate.
Layer 2: ARP spoofing (poisoning the ARP cache to associate the attacker's MAC address with a legitimate IP address, enabling MITM attacks), MAC flooding (overwhelming a switch's CAM table to force it to flood traffic to all ports, enabling passive interception), VLAN hopping (exploiting misconfigured trunk ports to access VLANs the attacker should not have access to).
Layer 3: IP spoofing (forging the source IP address of packets), ICMP attacks (Ping of Death, Smurf attack using ICMP broadcasts), BGP hijacking (injecting malicious routing information to redirect internet traffic).
Layer 4: SYN flood (sending large numbers of SYN packets without completing the handshake, exhausting server connection state tables), UDP flood (overwhelming a target with high volumes of UDP packets).
Layer 7: SQL injection, cross-site scripting, cross-site request forgery, HTTP header injection, DNS cache poisoning (injecting malicious records into DNS caches to redirect users to attacker-controlled servers).
Exam Tip
CISSP rarely asks you to name all 7 OSI layers — it asks what controls operate at which layer. Focus on knowing which firewalls, protocols, and attacks belong to which layers. The critical associations: Layer 2 = ARP/MAC/VLAN, Layer 3 = IP/IPSec/routing, Layer 4 = TCP/UDP/TLS/ports, Layer 7 = application protocols/WAF/HTTPS.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Communication and Network Security
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.