Both the OSI model and the TCP/IP model have their uses. If you want to know how the Internet really works from a binary perspective look at the TCP/IP model. It is pretty self-explainitory. I instead would like to talk about the OSI model as it relates to security.

Two basic rules apply when using the OSI model for security: the model does not only apply to the network, and security is applied in layers. The few examples I give here will barely scratch the surface of this topic. Many books and careers are based on this design.

Starting at the lowest layer, the physical layer, you begin to look at physical security. Fencing, guards and dogs, closed circuit TV, building entrance security, network topology, how network wiring is run, critical path flow of data, water, electricity, computer room design and security, fire controls, etc.

The next layer,the data link layer, covers things such as authenticating machines before they connect to the network, arp spoofing, network switching technology, colision and broadcast domains, etc.

The network layer can cover stack smashing, IPSec, sniffing, scanning, denial of service attacks, network design schematics, DMZs and extranets, etc.

A person designing security progresses through the whole model placing the current security implimentation into their appropriate layer. This can include firewalls (gateway, personal, and application), IDS, ssl/tsl, authentication methods (passwords, smart cards, SecureID, biometrics), database modeling, policies, access control lists, disaster recovery and continuity planning, single or multi-mode fiber, toxic waste management, computer supplier contracts and warranties, forced vacations, job rotation, audits, user education, and too many more to list here. Even software design uses this model.

Once the current security has been broken up into the different layers the designer can see where the holes in the different layers are and patch them accordingly.

So you see when viewing security it is not just what comes over the wire (the TCP/IP model), but how well all layers of the OSI model are protected.