Academy/Network Security Fundamentals/Module 1

Module 1 of 5

20% complete

Module 1

Introduction to IP Networking

Why Networking Is the Foundation of Security

Every security control — firewalls, IDS/IPS, VPNs, endpoint agents — operates on network traffic. To defend a network you must first understand how that traffic is structured, how it flows, and what each layer is responsible for. A security professional who cannot read a packet header is guessing, not defending.

This module builds the mental model you will use throughout the entire course. Everything in the later modules — subnetting, firewalls, DNS analysis, packet captures — depends on understanding what you will learn here.

The OSI Model

The Open Systems Interconnection (OSI) model is a conceptual framework that describes how data is communicated between systems. It divides network communication into seven distinct layers, each with a well-defined responsibility. Understanding OSI helps you quickly pinpoint where a problem or attack is occurring.

Layer	Name	Function	Protocol Examples
7	Application	User-facing network services	HTTP, HTTPS, DNS, FTP, SMTP, SSH
6	Presentation	Data formatting, encryption, compression	TLS/SSL, JPEG, MPEG, ASCII
5	Session	Establish, manage, and terminate sessions	NetBIOS, RPC, SIP
4	Transport	End-to-end delivery, reliability, flow control	TCP, UDP, SCTP
3	Network	Logical addressing and routing between networks	IP (IPv4/IPv6), ICMP, OSPF, BGP
2	Data Link	Node-to-node transfer, MAC addressing, error detection	Ethernet, Wi-Fi (802.11), ARP, VLAN
1	Physical	Raw bit transmission over physical medium	Copper, Fiber, Radio (RF)

Security Relevance of Each Layer

Attacks target specific layers: ARP spoofing targets Layer 2, IP spoofing targets Layer 3, SYN floods target Layer 4, and application-layer attacks (SQL injection, XSS) target Layer 7. Knowing the layer tells you which tool or control is relevant.

OSI Data Encapsulation

As data travels down the OSI stack from sender to receiver, each layer wraps the data with its own header (and sometimes a trailer). This process is called encapsulation. The layer-specific name for the data unit at each layer is:

Layer 7–5: Data (message)
Layer 4 (Transport): Segment (TCP) or Datagram (UDP)
Layer 3 (Network): Packet
Layer 2 (Data Link): Frame
Layer 1 (Physical): Bits

At the receiving end, the process reverses — each layer strips its header (de-encapsulation) and passes the payload up to the layer above.

The TCP/IP Model

The TCP/IP model predates OSI and is the practical model that the internet actually uses. It condenses the seven OSI layers into four. When engineers and security professionals talk about networking, they typically use the TCP/IP model.

TCP/IP Layer	Maps to OSI Layers	Responsibility
Application	OSI 5–7	User-facing protocols: HTTP, DNS, FTP, SSH, SMTP
Transport	OSI 4	End-to-end data transfer: TCP and UDP
Internet	OSI 3	Logical addressing and routing: IP, ICMP
Network Access	OSI 1–2	Physical transmission and local delivery: Ethernet, Wi-Fi

IP Addressing

An IP address is a logical identifier assigned to a network interface. It exists at Layer 3 (Network/Internet layer) and enables routing between different networks. Every packet carries a source IP and a destination IP in its header.

IPv4

IPv4 addresses are 32-bit numbers written as four decimal octets separated by dots — for example, 192.168.1.10. The total address space is approximately 4.3 billion unique addresses, which is now exhausted for public internet use.

Private vs Public

Private IP ranges (RFC 1918) — 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 — are used inside organizations and are not routable on the public internet. Your home router assigns you a private address and uses NAT to share a single public IP for internet access. Module 2 covers subnetting these ranges in depth.

IPv6

IPv6 addresses are 128-bit numbers written as eight groups of four hexadecimal digits separated by colons — for example, 2001:0db8:85a3::8a2e:0370:7334. The address space is effectively unlimited (3.4 × 10^38 addresses). IPv6 eliminates the need for NAT and includes built-in address autoconfiguration (SLAAC).

Special Addresses

Address	Meaning
127.0.0.1	IPv4 loopback — always refers to the local machine
::1	IPv6 loopback
0.0.0.0	Unspecified / any address (used in server bindings)
255.255.255.255	Limited broadcast (sent to all hosts on the local network)
169.254.x.x	APIPA — automatically assigned when DHCP fails

TCP — Transmission Control Protocol

TCP is the most important transport-layer protocol for understanding network security. It provides reliable, ordered, and error-checked delivery of a stream of bytes between applications. Most application protocols — HTTP, HTTPS, SSH, FTP, SMTP — run over TCP.

TCP Three-Way Handshake

Before data can flow, TCP establishes a connection through a three-way handshake. Understanding this is critical — many attacks exploit or abuse this process.

→

Step 1 — SYN: Client sends a TCP segment with the SYN flag set and a random Initial Sequence Number (ISN). "I want to connect."

→

Step 2 — SYN-ACK: Server responds with SYN and ACK flags set, acknowledging the client's ISN and sending its own ISN. "I accept. Here is my sequence number."

→

Step 3 — ACK: Client acknowledges the server's ISN. Connection is now established. Data can flow in both directions.

SYN Flood Attack

Attackers exploit the handshake by sending thousands of SYN packets without completing the handshake. The server allocates resources for each half-open connection, eventually exhausting its state table and refusing legitimate connections. This is a classic DoS attack. SYN cookies are the primary defense.

Key TCP Header Fields

Field	Size	Purpose
Source Port	16 bits	Sending application's port (ephemeral, e.g., 54321)
Destination Port	16 bits	Receiving application's port (well-known, e.g., 443)
Sequence Number	32 bits	Position of this segment in the byte stream
Acknowledgment Number	32 bits	Next byte expected from the other side
Flags	9 bits	SYN, ACK, FIN, RST, PSH, URG — control connection state
Window Size	16 bits	Flow control — how many bytes receiver can accept
Checksum	16 bits	Error detection over header and data

UDP — User Datagram Protocol

UDP is a connectionless, unreliable transport protocol. It sends datagrams without establishing a connection, without acknowledgments, and without guaranteed ordering. In exchange, it is significantly faster and lower overhead than TCP.

Characteristic	TCP	UDP
Connection setup	3-way handshake required	None — send immediately
Reliability	Guaranteed delivery, retransmits lost segments	Best-effort, no retransmission
Ordering	Segments reordered to correct order	Datagrams may arrive out of order
Speed	Slower (overhead of reliability)	Faster (minimal overhead)
Use cases	HTTP/S, SSH, FTP, SMTP, database connections	DNS, DHCP, NTP, video streaming, VoIP, VPN tunnels
Header size	20 bytes minimum	8 bytes fixed

UDP and Security

UDP's connectionless nature makes it ideal for amplification DDoS attacks. An attacker sends a small UDP request with a spoofed source IP (the victim's IP) to a service that responds with a much larger reply. The amplified response floods the victim. DNS (port 53) and NTP (port 123) are commonly abused for this.

ICMP — Internet Control Message Protocol

ICMP is a Layer 3 protocol used for network diagnostics and error reporting. It does not carry application data — it carries control messages between network devices. ICMP operates alongside IP, not on top of TCP or UDP.

Common ICMP Message Types

Type	Name	Common Use
0	Echo Reply	Response to a ping request
3	Destination Unreachable	Router cannot deliver packet; code field explains why
8	Echo Request	Ping — tests reachability
11	Time Exceeded	TTL expired in transit (used by traceroute)
12	Parameter Problem	Invalid IP header field

Ping and Traceroute

Ping sends ICMP Echo Requests (type 8) and measures round-trip time to the destination. It confirms the host is reachable and gives a rough measure of latency.

Traceroute exploits TTL to map the path to a destination. It sends packets with TTL=1 (expires at the first hop), then TTL=2 (expires at the second hop), and so on. Each router that discards an expired packet sends back an ICMP Time Exceeded message, revealing its IP address.

ICMP and Firewalls

Many firewalls block inbound ICMP Echo Requests to prevent host enumeration via ping sweeps. However, blocking ICMP entirely is not recommended — ICMP Unreachable messages are needed for Path MTU Discovery (PMTUD), and blocking them can cause mysterious TCP connectivity issues (a well-known problem called PMTUD blackhole).

Ports and Well-Known Services

Port numbers identify specific applications or services on a host. The combination of IP address + port number + protocol is called a socket, which uniquely identifies a network endpoint.

Port Range	Category	Examples
0 – 1023	Well-known / system ports	HTTP 80, HTTPS 443, SSH 22, DNS 53, FTP 21, SMTP 25
1024 – 49151	Registered ports	RDP 3389, MySQL 3306, PostgreSQL 5432, Redis 6379
49152 – 65535	Ephemeral / dynamic ports	Assigned by OS to client sockets for outbound connections

Security-Critical Ports to Know

Port	Protocol	Service	Security Note
22	TCP	SSH	Secure remote shell — should never be open to internet without MFA/key auth
23	TCP	Telnet	Unencrypted — never use; block everywhere
25	TCP	SMTP	Mail relay — misconfigured servers become spam relays (open relay vulnerability)
53	UDP/TCP	DNS	Used for DNS tunneling and amplification DDoS; monitor for anomalies
80	TCP	HTTP	Unencrypted web — never transmit credentials or sensitive data
443	TCP	HTTPS	Encrypted web — SSL inspection needed to see payload inside
389	TCP/UDP	LDAP	Directory services — plaintext; use LDAPS (636) instead
3389	TCP	RDP	Remote Desktop — frequently targeted by brute-force and ransomware

Basic Routing Concepts

Routing is the process of forwarding packets from one network to another. Routers operate at Layer 3 and make forwarding decisions based on the destination IP address and their routing table.

How a Router Forwards a Packet

→

The router receives a packet and reads the destination IP address from the IP header.

→

It looks up the destination in its routing table. The most specific matching route (longest prefix match) wins. A /28 beats a /24, which beats a /0 (default route).

→

If a match is found, the router forwards the packet out the interface toward the next hop. If no match is found (and no default route), the packet is dropped and an ICMP Destination Unreachable is sent back.

→

The router decrements the IP TTL (Time to Live) field by 1. If TTL reaches 0, the router drops the packet and sends an ICMP Time Exceeded message — this prevents routing loops from circulating forever.

Default Gateway

End hosts (PCs, servers) do not have routing tables for every network on the internet. Instead, they have a single default gateway — the IP address of the local router. Any traffic destined for an IP outside the local subnet is sent to the default gateway, which takes responsibility for routing it further.

ARP — Address Resolution Protocol

Before a host can send a frame to another host on the same subnet, it needs the destination's MAC address. ARP resolves an IP address to its MAC address. The host broadcasts "Who has IP 192.168.1.1? Tell 192.168.1.10" and the owner of that IP replies with its MAC address. The mapping is cached in the ARP table for a short period.

ARP Spoofing

ARP has no authentication — any host can respond to an ARP request claiming any IP. An attacker can poison ARP caches by sending unsolicited ARP replies associating their MAC address with the default gateway IP. Traffic intended for the gateway is then sent to the attacker — a classic man-in-the-middle position. We cover detecting this in Module 5.

What's Next

You now understand how the internet is structured — OSI layers, IP addressing, TCP vs UDP, ICMP, ports, and basic routing. Module 2 builds directly on this foundation with subnetting and CIDR — the math and logic behind dividing IP networks into manageable, secure segments.

Next Module