The TCP/IP protocol is widely used throughout the world to provide network communications. The TCP/IP model is composed of the following four layers, each having its own security controls that provide different types of protection:Â Application, Transport, Network, and Data Link.
Application layer, which sends and receives data for particular applications. Separate controls must be established for each application; this provides a very high degree of control and flexibility over each application’s security, but it may be very resource-intensive. However, inventing new application layer security controls can create vulnerabilities. Another potential issue is that some applications may not be capable of providing such protection or of being modified to do so.
Transport layer, which provides connection-oriented or connectionless services for transporting application layer services across networks. Controls at this layer can protect the data in a single communications session between two hosts. The most frequently used transport layer control is SSL, which most often secures HTTP traffic but is also used to implement VPNs. To be used, transport layer controls must be supported by both the clients and servers. SSL portal VPNs operate at the transport layer.
Network layer, which routes packets across networks. Controls at this layer apply to all applications and are not application-specific, so applications do not have to be modified to use the controls. However, network layer controls provide less control and flexibility for protecting specific applications than transport and application layer controls. Network layer controls can protect both the data within packets and the IP information for each packet. IPsec VPNs operate at the network layer; since they can secure both TCP and UDP traffic, SSL tunnel VPNs operate as network layer VPNs.
Data link layer, which handles communications on the physical network components. Data link layer controls are suitable for protecting a specific physical link, such as a dedicated circuit between two buildings or a dial-up modem connection to an ISP. Because each physical link must be secured separately, data link layer controls generally are not feasible for protecting connections that involve several links, such as connections across the Internet.
