7 Layers of OSI Model Encryption: From MACsec, IPsec, SSL/TLS/DTLS to HTTPS

Introduction

With such rapid development, an overwhelming amount of data, and an explosion of information, has your personal information been leaked? As you navigate the online world, have you ever thought about how your data is being protected?

As we all know, the International Organization for Standardization (ISO) divides the network into OSI 7 layers. So, would you like to learn about the 7 Layers of OSI Model Encryption? The protocols we often mention, such as MACsec, IPsec, SSL/TLS/DTLS, and HTTPS, belong to which layer?

Let’s dive into the encryption methods across the OSI layers and explore which of the well-known network encryption protocols belong to each layer.

7 Layers of OSI Model Encryption

In this section, we will look at the 7 Layers of OSI Model Encryption, covering the different encryption methods, their target objects, and what they accomplish.

Physical Layer

At the physical layer, which serves as the foundation for OSI Model Encryption, techniques such as signal scrambling, optical signal encryption, or dedicated encryption devices are used to encrypt optical and electrical signals on the physical medium. This is hardware-level, link-transparent encryption, meaning upper-layer protocols are completely unaware of it. This is the first line of defense for protecting data through OSI Model Encryption.

Data Link Layer

A typical technology representing OSI Model Encryption at this layer is MACsec (IEEE 802.1AE). Its target is the Ethernet frame (excluding the preamble and Frame Check Sequence, FCS), focusing on securing the link behavior. It enables point-to-point encryption between switch ports and directly connected device links, effectively preventing Layer 2 eavesdropping, tampering, and replay attacks. MACsec operates at the Data Link Layer (Layer 2) of the OSI model and is widely deployed to secure Layer 2 links over dark fiber.

Network Layer

The core technology handling OSI Model Encryption at the network layer is IPsec. It encrypts the payload or the entire original IP packet using the ESP (Encapsulating Security Payload) protocol, while also authenticating the IP header. IPsec supports encrypted communication across subnets and public networks. An emerging technology is WireGuard, designed in 2015 and integrated into the Linux kernel in version 5.6 in 2020. It encrypts the entire IP packet and is lightweight, with about 4,000 lines of code.

Transport Layer

The representative encryption technology at the transport layer is SSL/TLS/DTLS.

• SSL/TLS works over TCP and implements OSI Model Encryption by securing the application layer payload of the TCP segment, leaving the TCP header unencrypted so that network layer devices can forward packets based on ports. It provides a standardized encrypted channel for upper-layer applications and is a core technology for ensuring data confidentiality and integrity.
• DTLS is the UDP version of TLS, designed specifically for real-time UDP applications (such as IoT device communication and audio/video transmission). It addresses encryption and retransmission issues caused by UDP’s connectionless nature.

Session Layer

The session layer is responsible for establishing, managing, and terminating sessions between applications. OSI Model Encryption at this layer focuses on data flows throughout the session lifecycle. Typically, this encryption is bound to specific session protocols. For example, session encryption based on NetBIOS uses a session-specific key to encrypt all interaction data within the session, which expires as soon as the session ends, ensuring data isolation and security at the session level.

Presentation Layer

The core function of the presentation layer involves data format translation and handling the specific syntax requirements of OSI Model Encryption. Its encryption targets standardized encoded data structures, such as encrypted or ASN.1 encoded data or XML/JSON messages. This encryption ensures that data is not exposed due to its format during transmission and parsing, while allowing the receiving end to accurately restore the original data format. This layer is commonly applied in secure transmission of financial SWIFT messages or medical HL7 data.

Application Layer

The OSI Model Encryption technology at the application layer is typified by HTTPS. Essentially, HTTPS is a combination of the HTTP protocol and a TLS encrypted channel. HTTPS directly encrypts application-level business data (such as web content, API request parameters, and user login information) through TLS, which performs key negotiation and data encryption, ensuring end-to-end application data security. It is currently the most widely used encryption solution in the internet domain, covering e-commerce, social media, government services, and most other application scenarios. Additionally, it is compatible with higher-layer application encryption technologies (such as PGP email encryption and database TDE), forming a multi-layer defense system.

Summary Table of 7 Layers of OSI Model Encryption:

OSI Layer	Main Encryption Methods	Encrypted Object	Typical Application Scenarios
Physical Layer	Signal Scrambling Technology, Optical Signal Encryption, Dedicated Line Encryption Devices	Electrical/Optical signals on the physical medium	Optical fiber dedicated line encryption, coaxial cable signal encryption
Data Link Layer	MACsec	Ethernet frame (excluding preamble and FCS)	Data center Layer 2 link encryption, switch port encryption
Network Layer	IPsec	IP packets (including upper-layer data)	VPN communication across public networks, Layer 3 encryption between sites
Transport Layer	SSL/TLS/DTLS	TCP segment payload (SSL/TLS) UDP payload (DTLS)	HTTPS encryption, remote device maintenance (SSH), IoT DTLS communication
Session Layer	NetBIOS Encryption	Data flow in the session connection	Early LAN session encryption, application session isolation
Presentation Layer	Format Encryption/Data Anonymization (e.g., ASN.1 encryption)	Encoded data structure (e.g., XML/JSON)	Financial message format encryption, medical data format anonymization
Application Layer	HTTPS	Complete application-level data (e.g., emails, files)	Email encryption, file encryption, database field encryption

In fact, each layer has more than one encryption method. From local area networks to web access across networks, various security protocols have emerged at different layers and in different scenarios. Below, we will delve into the well-known protocols—from MACsec, IPsec, SSL/TLS/DTLS to HTTPS—introducing them from three aspects: what they are, their core features, and how they work.

Finally, we will compare them side-by-side to clarify the differences and positioning of each protocol.

Link Layer Security Barrier: MACsec

1. What is it?

MACsec, short for Media Access Control Security, is defined in the IEEE 802.1AE standard and is a security protocol that operates at the data link layer, playing a vital role in Layer 2 OSI Model Encryption. Its core function is to provide end-to-end encryption and authentication for Ethernet links, protecting raw Ethernet frames between network interface cards (NICs).

It is important to note that MACsec operates solely at the link layer and does not affect the protocol headers of the network layer or above, meaning it cannot transmit across routers. It is primarily used in local area network (LAN) scenarios, such as within data centers or enterprise intranets.

2. Core Features

• Link Layer Transparent Protection: Fully transparent to upper-layer protocols. No modification is required for IP, TCP/UDP, or other protocol configurations, and its deployment has minimal impact on existing network architecture.
• Strong Encryption and Authentication: Uses AES-GCM (Advanced Encryption Standard with Galois/Counter Mode) as the default encryption algorithm, supporting 128-bit or 256-bit keys. It also includes data integrity checks (to prevent tampering) and data origin authentication (to prevent spoofing), providing protection against man-in-the-middle attacks.
• Hop-by-Hop or End-to-End Support: It can be deployed either between adjacent devices (hop-by-hop protection) or, with the MACsec Key Agreement (MKA) protocol, for end-to-end protection across multiple devices (requires device support for MKA).
• Low Latency: Operating at the link layer, encryption and decryption are performed close to the hardware level, resulting in low performance overhead compared to higher-layer OSI Model Encryption protocols.

3. How It Works

MACsec’s operation revolves around two key stages: “Key Negotiation” and “Frame Encryption Transmission.”

1. Key Negotiation (MKA Phase): Devices exchange keying materials via the MKA protocol (defined in IEEE 802.1X-2010) to generate the Security Association Key (SAK) used for encryption. MKA relies on pre-shared keys (PSK) or digital certificates for identity authentication, ensuring that only authorized devices participate in the key negotiation process.
2. Frame Encapsulation and Encryption: After the key exchange, the sender processes the raw Ethernet frame: the MACsec header (including SA identifier, sequence number, etc.) is added, followed by AES-GCM encryption of the frame’s data part. Finally, an Integrity Check Value (ICV) is appended. Upon receiving the frame, the recipient first verifies the legitimacy of the MACsec header, then decrypts the data using the corresponding SAK and checks the ICV. After confirming the data’s integrity, the MACsec header is stripped, and the original frame is passed to the upper-layer protocol for further processing.

Network Layer Security Choices: IPsec vs. WireGuard

Both IPsec and WireGuard operate at the network layer to provide robust OSI Model Encryption and share the core objective of providing secure transmission for IP packets. They are commonly used in VPN (Virtual Private Network) scenarios to ensure secure interconnection across public networks.

IPsec

What is it?

IPsec, short for Internet Protocol Security, is a suite of network layer security protocols defined by the IETF (including RFC 2401, RFC 4301, and others). Operating at the network layer, it provides encryption, authentication, and integrity checks for IP packets, protecting all application data transmissions at the IP layer and above. IPsec does not depend on specific transport or application layer protocols, meaning it can protect traffic from both TCP and UDP protocols.

Core Features

• Protocol Suite: IPsec is not a single protocol but a suite consisting of Authentication Header (AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and others. It supports various encryption algorithms (e.g., AES, 3DES) and hash algorithms (e.g., SHA-1, SHA-256).
• Two Modes of Operation: IPsec supports two modes:
  • Transport Mode: Encrypts only the payload of the IP packet, leaving the original IP header intact (used for end-to-end communication).
  • Tunnel Mode: Encapsulates the entire original IP packet within a new IP packet, which is then encrypted (used for site-to-site VPN).
• Strong Compatibility and Maturity: Introduced in 1998, IPsec is the most widely used network layer security protocol and is supported by nearly all network devices (routers, firewalls) and operating systems.
• Flexible Key Negotiation: The IKE protocol enables automatic key exchange and identity authentication, supporting various authentication methods such as pre-shared keys (PSK) and digital certificates.

How It Works

IPsec’s operation is primarily divided into two phases: Key Negotiation (IKE Phase) and Data Transmission (AH/ESP Phase).

• IKE Key Negotiation: This is split into two phases:
  • Phase 1 (IKE SA Negotiation): Both sides exchange keying materials and establish a temporary security association (IKE SA) for securing subsequent negotiations, as well as performing identity authentication.
  • Phase 2 (IPsec SA Negotiation): Based on the established IKE SA, a secure channel is set up for negotiating the Security Association (IPsec SA) used for securing IP data transmission, defining encryption algorithms, hash algorithms, and other parameters.
• Data Transmission (AH/ESP):
  • AH Protocol: Provides identity authentication and data integrity checking without encrypting the data, preventing IP address spoofing and data tampering.
  • ESP Protocol: Provides encryption, authentication, and integrity checks. ESP is the most commonly used subprotocol of IPsec. It encapsulates the payload of the original IP packet (in transport mode) or the entire IP packet (in tunnel mode), adding ESP headers and trailers to ensure secure data transmission.

WireGuard

What is it?

WireGuard, defined by RFC 8922, is a next-generation network layer security protocol designed to replace traditional IPsec. It offers a simpler, more efficient, and secure encryption solution for VPN scenarios. The core design philosophy behind WireGuard is “minimalism,” aiming to reduce the protocol’s complexity, minimize code size, and thus lower the risk of security vulnerabilities, while improving performance. Like IPsec, WireGuard provides underlying protection for all traffic above the IP layer (including HTTP/HTTPS).

Core Features

• Minimalist Protocol Design: With only about one-tenth the code size of IPsec, WireGuard removes redundant features in IPsec (e.g., support for multiple encryption algorithms and complex mode switching) and retains only the essential encryption and key exchange functions, making it easier to audit for security.
• High Performance and Low Latency: Using state machine-driven design combined with efficient algorithms like ChaCha20-Poly1305 (for encryption and authentication) and Curve25519 (for key exchange), WireGuard reduces the number of protocol exchanges, leading to much lower latency compared to IPsec. This makes it particularly well-suited for mobile network scenarios.
• Native Roaming Support: When a client’s IP address changes (e.g., when switching from Wi-Fi to cellular networks), WireGuard can automatically re-establish the connection without the need for complex key renegotiation, offering a smoother roaming experience compared to IPsec.
• Simple Key Management: WireGuard uses pre-shared keys or public-key authentication, eliminating the need for complex IKE protocols. This greatly reduces configuration and maintenance costs.

How It Works

WireGuard’s workflow is more straightforward than IPsec’s and is divided into two main stages: Peer Configuration and Data Encryption Transmission.

• Peer Configuration: Administrators must configure the public keys and allowed IP ranges of the peers (the two communicating devices). WireGuard uses the Curve25519 algorithm to generate public and private key pairs, with the public key used for identity and key exchange, and the private key stored locally.
• Key Exchange and Data Transmission: When one peer wants to send data to another, it first generates a temporary session key via public key exchange (using the X25519 key exchange algorithm). Then, the data is encrypted and authenticated using the ChaCha20-Poly1305 algorithm, encapsulated into a WireGuard packet, and sent. Upon receiving the data, the receiving peer uses the corresponding private key to decrypt the data and verify its integrity, and once confirmed, the original IP packet is passed to the upper-layer protocols for further processing.

IPsec vs. WireGuard Comparison

Both IPsec and WireGuard provide IP-layer OSI Model Encryption for HTTP/HTTPS, but their ideal use cases differ. IPsec offers greater compatibility and is better suited for complex enterprise Site-to-Site VPNs, while WireGuard offers better performance, simpler configuration, and is more suitable for personal VPNs or mobile device access. It is important to note that the security features of HTTP/HTTPS (such as TLS encryption in HTTPS) provide “layered protection.” Even when using IPsec or WireGuard at the underlying layer, HTTPS will still perform encryption at the transport layer, further enhancing security.

The Security of Transport Layer: SSL/TLS/DTLS

SSL/TLS and DTLS both work to implement OSI Model Encryption between the transport layer and the application layer (often referred to as the “Transport Layer Security Layer,” corresponding to Layer 4 and Layer 7 of the OSI model). Their core goal is to provide security enhancements for transport layer protocols (TCP/UDP), and they form the core security foundation for HTTPS. SSL has been deprecated, TLS is the current mainstream protocol, and DTLS is the adaptation of TLS for UDP scenarios.

1. What is it?

SSL (Secure Sockets Layer), introduced by Netscape in 1994, was later standardized by the IETF and renamed TLS (Transport Layer Security). TLS is defined by standards such as RFC 2246 (TLS 1.0), RFC 5246 (TLS 1.2), and RFC 8446 (TLS 1.3). TLS operates above TCP and below the application layer, providing encryption, authentication, and integrity checks for TCP connections. It does not depend on specific application layer protocols, and it can support various applications such as HTTP, FTP, SMTP, etc.

DTLS (Datagram Transport Layer Security), defined in RFC 6347, is the adaptation of TLS for UDP scenarios. Since UDP is connectionless and unreliable, DTLS solves the issue by adding mechanisms such as sequence numbers and retransmission to ensure reliability. DTLS operates at the same layer as TLS, mainly used for UDP-based applications such as VoIP, video conferencing, and VPNs (e.g., OpenVPN’s UDP mode).

Key Relationship: The core of HTTPS is “HTTP + TLS,” meaning the data of the HTTP protocol is transmitted over a TLS-encrypted TCP connection. Therefore, HTTPS is not purely an application layer protocol but a combination of “application layer business (HTTP)” and “transport layer security (TLS).” TLS provides transport layer security for HTTP, while HTTP handles the request-response logic at the application layer.

2. Core Features

• Application Layer Transparency: Fully transparent to application layer protocols, meaning no modifications are needed at the application layer to use TLS/DTLS for secure transmission. For example, upgrading HTTP to HTTPS only requires the deployment of certificates on the server and enabling TLS, with the client browser automatically adapting.
• Hybrid Encryption Mechanism: This OSI Model Encryption approach combines the advantages of asymmetric encryption (e.g., RSA, ECDH) and symmetric encryption (e.g., AES, ChaCha20). In the handshake phase, asymmetric encryption is used to negotiate the session key, while symmetric encryption (more efficient) is used to encrypt data during the data transmission phase.
• Identity Authentication and Trust Mechanism: Supports server-side authentication (by default) and optional client-side authentication. Identity verification is performed through digital certificates (issued by CA authorities) to prevent man-in-the-middle attacks and phishing attacks.
• Version Iteration and Security Enhancements: TLS 1.3 significantly simplifies the handshake process compared to earlier versions (from 2-RTT to 1-RTT, or even 0-RTT), removes insecure algorithms, and improves security and performance. DTLS retains the security features of TLS while adapting to UDP’s connectionless nature.

3. How It Works

The core workflow of TLS consists of two stages: the Handshake Phase and the Data Transmission Phase. Using TLS 1.3 as an example, it has greatly simplified the handshake process compared to earlier versions:

1. TLS Handshake Phase (Core Functions: Key Negotiation and Identity Authentication):
   • Note: TLS 1.3 reduces handshake latency by “pre-sharing key materials,” cutting the handshake process from 2-RTT to 1-RTT, significantly lowering delay. The 0-RTT feature applies to reconnection scenarios, allowing the client to send encrypted data directly, further enhancing efficiency.
   • Client Sends the Client Hello Message: Contains the supported TLS version, list of cipher suites, random number (client_random), and key exchange materials (used for key exchange).
   • Server Sends the Server Hello Message: Confirms the TLS version and cipher suite to be used, provides a server certificate (containing the public key), key exchange materials, and sends a Finished message (indicating the server has completed key negotiation).
   • Client Verifies the Server Certificate: After verifying that the certificate is issued by a trusted CA, is valid, and matches the domain, the client uses the key exchange materials and random numbers to generate the session key. It then sends a Finished message (indicating the client has completed key negotiation).
2. Data Transmission Phase: Once the handshake is complete, both parties use the session key (symmetric encryption) to encrypt application layer data. A Message Authentication Code (MAC) is added to ensure data integrity. During transmission, the data is encapsulated into a TLS record (containing the record header, encrypted data, and MAC) and transmitted via the TCP connection.

DTLS Workflow: The core process of DTLS is similar to TLS, but to accommodate UDP’s connectionless nature, additional mechanisms such as sequence numbers (to prevent data reordering), retransmission timers (to handle packet loss), and preservation of datagram boundaries (to avoid data merging/splitting) are added, ensuring reliable encrypted data transmission.

Application Layer Security Interaction: HTTPS

HTTPS is the most commonly used OSI Model Encryption protocol at the application layer, primarily for hypertext transfer between clients (e.g., browsers) and servers. When we talk about HTTPS, we must also mention HTTP. The core difference between HTTPS and HTTP lies in “whether it is based on TLS encryption for transmission.”

1. What is it?

Let’s first look at what HTTP is. HTTP (HyperText Transfer Protocol) is defined in RFC 2616 (HTTP/1.1), RFC 9114 (HTTP/2), and other standards. It is a pure application layer protocol (OSI model Layer 7), based on TCP to provide reliable, plaintext transmission for HTML, images, videos, and other hypertext data. HTTP only defines the request-response logic at the application layer (such as request methods, status codes, and message headers), and it provides no security protection.

HTTPS (HyperText Transfer Protocol Secure) is not an independent protocol, but a combination of “HTTP + TLS.” It is not purely an application layer protocol—its underlying layer is based on TLS-encrypted TCP connections (transport layer security), while the upper layer is the HTTP application layer protocol. HTTPS uses TLS to provide encryption, authentication, and integrity protection for the data transmitted by HTTP, resolving the security risks of HTTP’s plaintext transmission.

2. Core Feature Comparison

Dimension of Comparison	HTTP	HTTPS
Security Features	Plaintext transmission, no encryption, authentication, or integrity check, vulnerable to eavesdropping, tampering, and spoofing	TLS-based encrypted transmission, supports authentication (server certificates) and integrity checks, protects against eavesdropping, tampering, and man-in-the-middle attacks
Working Layer	Pure application layer (OSI Layer 7), directly based on TCP transmission	Application layer (HTTP) + Transport layer security (TLS), based on TLS-encrypted TCP transmission
Default Port	80	443
Performance Overhead	No encryption and decryption overhead, quick connection establishment (only TCP three-way handshake)	Additional TLS handshake (key negotiation, certificate validation), encryption/decryption overhead; after optimization in TLS 1.3, overhead is greatly reduced
Trust Mechanism	No trust mechanism, server legitimacy cannot be verified	Relies on digital certificates issued by CA authorities, the client can verify server identity to prevent phishing attacks
Browser Display	Shows “Not Secure” warning	Displays green lock symbol, indicating “Secure”

3. Working Principle Comparison

(1) HTTP Working Principle

• The client and server establish a connection via the TCP three-way handshake.
• The client sends an HTTP request (e.g., GET /index.html), and the data is transmitted in plaintext.
• The server receives the request, processes it, and returns an HTTP response (e.g., HTML content, status code 200). The response data is also transmitted in plaintext.
• The connection is closed (or kept alive for subsequent requests).

(2) HTTPS Working Principle

• The client and server establish a connection via the TCP three-way handshake.
• TLS Handshake Phase: Both sides negotiate the TLS version and cipher suites, the server sends a certificate, the client validates the certificate and negotiates the session key (as detailed in the “TLS Working Principle” section).
• HTTP Data Transmission Phase: The client encrypts the HTTP request data using the session key and sends it to the server. The server decrypts the data and processes the request. The server encrypts the HTTP response data and returns it to the client, who then decrypts and processes the content.
• The connection is closed (or kept alive for subsequent requests).

Horizontal Comparison of Mainstream Security Protocols

We have explored all the major security protocols. Below, we provide a summary comparison of these OSI Model Encryption protocols based on key dimensions such as working layer, core scenarios, and protection scope:

Protocol	Working Layer (OSI)	Core Application Scenario	Protection Scope	Encryption Algorithms (Mainstream)
MACsec	Data Link Layer	LAN Security (Data Center, Enterprise Internal Networks)	Ethernet frames, end-to-end within the link	AES-GCM
IPsec	Network Layer	Enterprise VPN (Site-to-Site, Remote Access)	IP packets, end-to-end across public networks	AES, SHA-256, RSA/ECDH
WireGuard	Network Layer	Personal VPN, Mobile Device Access, Lightweight Enterprise VPN	IP packets, end-to-end across public networks	ChaCha20-Poly1305, Curve25519
TLS	Transport Layer to Security Layer	Web Security (HTTPS), FTP/SMTP Secure Transmission	TCP connection data, end-to-end	AES/ChaCha20, SHA-256, ECDH/RSA
DTLS	Transport Layer to Security Layer	VoIP, Video Conferencing, UDP-mode VPN	UDP packets, end-to-end	Same as TLS
HTTPS	Application Layer + Transport Layer Security	Web Secure Transmission (E-commerce, Payment, Login, etc.)	Application Layer HTTP data + Transport Layer TCP connection	Same as TLS (relies on TLS encryption)

Asterfusion Platform Enhances Network Security

Asterfusion adopts different targeted approaches to enhance OSI Model Encryption performance in campus, data center, and edge router scenarios.

In the campus, the CX-M series supports hardware-level IEEE 802.1AE (MACsec) to enhance data link layer security without compromising forwarding performance.

DAI, IP Source Guard (IPv4/IPv6), and DHCPv4/v6 Snooping are employed to establish solid L2/L3 security boundaries, preventing unauthorized access and IP/MAC spoofing attacks.

Control Plane Protection (CoPP): A comprehensive CoPP policy safeguards the switch CPU from illegal protocol messages and flooding attacks, ensuring the core management plane remains stable and secure.

In data center scenarios, the CX-N series adopts secure multi-tenant isolation, leveraging VXLAN-EVPN technology to create thousands of logically isolated networks (VNI/VRF). These networks are built on a shared physical underlay (Overlay), ensuring tenants remain unaffected by each other and naturally defending against East-West traffic security threats.

In AI networks, Asterfusion supports RoCEv2 for high-performance transmission while incorporating PFC (Priority Flow Control) and ECN (Explicit Congestion Notification) technologies to prevent DoS attacks caused by network congestion.

In edge routing and gateway scenarios, to meet the high-intensity encryption demands of cross-region transmission, Asterfusion leverages high-performance DPU chips for secure offloading:

• 160Gbps hardware encryption/decryption performance: Two high-performance CN103XX DPU chips provide hardware-level encryption/decryption throughput of up to 160 Gbps, greatly reducing the computational burden on traditional CPUs when handling complex OSI Model Encryption.
• Support for mainstream protocols: Comprehensive support for popular open-source VPN and IDS/IPS protocols, adapting to various encryption transmission and security protection requirements:
  • Open-source VPN protocols: OpenVPN, WireGuard, IPSec, L2TP, Shadowsocks, Trojan, VMess, etc.
  • Open-source IDS/IPS protocols: Snort, Suricata, Zeek, etc.
• Compared to pure software solutions, the DPU acceleration significantly reduces encryption link latency while maintaining 10Gbps/100Gbps bandwidth, ensuring absolute security for public or wide-area network connections.

FAQs

Now that the encryption segment has been elaborated on, we will proceed to answer a series of relevant questions.

1. Which layer in the OSI model is responsible for encryption and decryption?

Each layer has its corresponding encryption and decryption technologies, or performs encryption and decryption indirectly. For example, the link layer uses MACsec, the network layer uses IPsec, and the application layer uses HTTP or HTTPS.

2. In which layer of the OSI model does encryption typically occur?

Encryption typically occurs in the Presentation Layer (Layer 6), where data formatting and encryption are handled.

3. What is the function of Presentation Layer in OSI Model Encryption ?

The Presentation Layer (Layer 6) in the OSI model is responsible for ensuring that data is properly formatted and presented to the application layer. It can also handle encryption and decryption, ensuring that the data is transmitted securely over the network. Encryption protocols like SSL/TLS (used for HTTPS), AES, and RSA are often employed at this layer. The main function is to ensure that sensitive data is encrypted before transmission and decrypted upon receipt, preventing unauthorized access to the information.

4. What encryption protocols are used at each OSI model layer ?

As mentioned in the article, each layer has its own encryption protocol, summarized as follows:

• Physical Layer: No encryption typically; specialized hardware may use encryption (e.g., encrypted network adapters).
• Data Link Layer: MACsec (Media Access Control Security) encrypts data on local network links.
• Network Layer: IPsec (Internet Protocol Security) encrypts IP packets and ensures their integrity and authenticity.
• Transport Layer: TLS/SSL (Transport Layer Security/Secure Sockets Layer) secures communication between hosts (e.g., HTTPS, SMTPS, FTPS).
• Session Layer: SSL/TLS protocols secure sessions, especially for web browsing and secure messaging.
• Presentation Layer: TLS/SSL, AES, and RSA encryption protect data presented to applications and handle format transformations.
• Application Layer: HTTPS, SMTPS, and FTPS secure data in applications like web browsers, email clients, and file transfers.

5. How do network security products implement encryption across the OSI model ?

Network security products implement encryption across various OSI model layers to ensure comprehensive protection of data as it travels across networks. Here’s how they typically do this:

• Physical Layer: Some network adapters and VPN devices implement hardware-level encryption to protect the integrity of the data before it enters the network.
• Data Link Layer: Products like firewalls and switches with MACsec support ensure that encrypted communication is maintained within a local network, protecting data against unauthorized access at the physical link level.
• Network Layer: IPsec VPNs are commonly used by network security products to encrypt data at the network layer, ensuring that data between networks, such as between a remote user and an internal network, is secure.
• Transport Layer: Network security products such as firewalls and load balancers can enforce the use of TLS/SSL encryption between clients and servers, ensuring secure communication in protocols like HTTPS and SMTPS.
• Session Layer: Products that manage secure sessions (e.g., SSL VPNs) use SSL/TLS to secure session establishment and ensure the confidentiality and integrity of the communication during the session.
• Presentation Layer: Encryption libraries integrated into applications, such as OpenSSL, handle encryption and decryption of data at the presentation layer to ensure it is secure before passing to the application.
• Application Layer: Security products that manage application-level encryption, such as web application firewalls (WAFs), enforce HTTPS, SMTPS, and FTPS encryption to protect sensitive data in transit.

Contact US !

• To request a proposal, send an E-Mail to bd@cloudswit.ch
• To receive timely and relevant information from Asterfusion, sign up at AsterNOS Community Portal
• To submit a case, visit Support Portal
• To find user manuals for a specific command or scenario, access AsterNOS Documentation
• To find a product or product family, visit Asterfusion-cloudswit.ch