Networking Basics for Cybersecurity Beginners
Every cybersecurity attack travels over a network. Every defense involves understanding how that network functions. Before you can protect systems, you need to understand how they communicate.
This page explains the core networking concepts that appear repeatedly in cybersecurity work — written for people who have never configured a router or read a packet.
What Is Networking and Why Does It Matter for Cybersecurity?
Section titled “What Is Networking and Why Does It Matter for Cybersecurity?”According to CompTIA’s Security+ SY0-701 exam objectives, networking concepts underpin multiple exam domains, and the CompTIA A+ Core 1 (220-1101) dedicates an entire domain to networking fundamentals, making it one of the most tested topics for entry-level IT and security professionals.
Security professionals need networking knowledge for practical reasons:
- Threat detection requires recognizing abnormal traffic patterns — which means you need to know what normal looks like
- Incident response involves tracing how an attacker moved through a network
- Firewall configuration requires understanding ports, protocols, and traffic flow
- Vulnerability scanning tools like Nmap operate at the network layer
- Certifications — both CompTIA A+ and Security+ have significant networking content
You do not need to become a network engineer. You need enough to understand what is happening when you look at a packet capture or configure a firewall rule.
I’ll be honest — the OSI model nearly broke me. Seven layers, each with abstract names and functions that felt completely disconnected from anything I’d ever done in real estate or aged care. I read the same table three times and nothing stuck. Then I opened Wireshark in my home lab, captured some traffic, and watched an actual HTTP request travel through the layers. Suddenly “Transport” wasn’t just a word in a table — it was TCP doing a three-way handshake right in front of me. That was the moment networking went from memorisation to understanding.
How Does the OSI Model Work?
Section titled “How Does the OSI Model Work?”The OSI model is a seven-layer conceptual framework standardised by ISO/IEC 7498-1 that describes how data moves between networked applications, providing a universal reference model used across the cybersecurity industry to identify which layer an attack targets.
The OSI (Open Systems Interconnection) model is a conceptual framework that describes how data moves from an application on one computer to an application on another. It has seven layers, each handling a specific function.
| Layer | Number | Name | What it does | Example |
|---|---|---|---|---|
| Application | 7 | Application | End-user communication | HTTP, DNS, FTP |
| Presentation | 6 | Presentation | Data formatting, encryption | TLS/SSL, JPEG |
| Session | 5 | Session | Managing connections | NetBIOS, RPC |
| Transport | 4 | Transport | Reliable delivery, flow control | TCP, UDP |
| Network | 3 | Network | Addressing and routing | IP, ICMP |
| Data Link | 2 | Data Link | Node-to-node delivery | Ethernet, MAC |
| Physical | 1 | Physical | Electrical signals, cables | CAT6, fiber, WiFi |
The OSI Model Layers
Section titled “The OSI Model Layers”📊 Visual Explanation
Section titled “📊 Visual Explanation”The 7 Layers of the OSI Model
Data travels down through layers when sending, up through layers when receiving
Why the OSI Model Matters in Security
Section titled “Why the OSI Model Matters in Security”Most attacks target specific layers. SQL injection attacks the Application layer. ARP spoofing attacks the Data Link layer. IP spoofing attacks the Network layer. When you read about an attack, the OSI model helps you understand where it occurs and what defenses apply.
A common memory device for the layer order (top to bottom): “All People Seem To Need Data Processing.”
What Are the Key Concepts Behind TCP/IP?
Section titled “What Are the Key Concepts Behind TCP/IP?”The TCP/IP model is the four-layer protocol suite defined by IETF RFC 1122 that underpins virtually all modern internet communication, making it the practical networking standard that security professionals encounter in every packet capture and firewall rule.
While OSI is the theoretical framework, TCP/IP is what networks actually use. It has four layers that map roughly to the OSI model:
| TCP/IP Layer | Maps to OSI Layers | Protocols |
|---|---|---|
| Application | 5, 6, 7 | HTTP, HTTPS, DNS, SMTP, FTP, SSH |
| Transport | 4 | TCP, UDP |
| Internet | 3 | IP, ICMP, ARP |
| Network Access | 1, 2 | Ethernet, Wi-Fi |
TCP vs UDP
Section titled “TCP vs UDP”TCP (Transmission Control Protocol) establishes a connection before sending data and confirms delivery. It is reliable but slower. Used for web browsing, email, file transfers.
UDP (User Datagram Protocol) sends data without confirming delivery. It is faster but unreliable. Used for video streaming, DNS queries, VoIP.
In security, understanding TCP vs UDP helps you analyze packet captures and understand why certain attacks work. For example, DNS amplification attacks exploit the fact that DNS uses UDP.
TCP vs UDP at a Glance
Section titled “TCP vs UDP at a Glance”📊 Visual Explanation
Section titled “📊 Visual Explanation”TCP vs UDP
- Confirms every packet arrived
- Guarantees correct order
- Built-in error correction
- Slower due to handshake overhead
- Used by HTTP, SSH, SMTP, FTP
- No connection setup needed
- Lower latency for real-time data
- No delivery guarantee
- Packets can arrive out of order
- Used by DNS, VoIP, streaming
How Does IP Addressing Work?
Section titled “How Does IP Addressing Work?”The Internet Protocol (IP) addressing scheme, governed by IETF RFC 791 (IPv4) and RFC 8200 (IPv6), assigns a unique numerical identifier to every device on a network, enabling routers to forward packets to their correct destination.
Every device on a network has an IP address — a numerical label that identifies it.
IPv4 addresses look like this: 192.168.1.100. They are 32-bit numbers written as four octets (0–255) separated by dots. There are approximately 4.3 billion possible IPv4 addresses.
Private IP ranges (used inside networks, not routable on the public internet):
10.0.0.0to10.255.255.255172.16.0.0to172.31.255.255192.168.0.0to192.168.255.255
When you see 192.168.x.x addresses in a log, you are looking at internal network traffic.
Subnet Masks and CIDR
Section titled “Subnet Masks and CIDR”A subnet mask tells you which part of an IP address identifies the network and which part identifies the host. In CIDR notation, /24 means the first 24 bits are the network portion. 192.168.1.0/24 covers addresses 192.168.1.1 through 192.168.1.254.
IPv6 addresses look like: 2001:0db8:85a3:0000:0000:8a2e:0370:7334. They are 128-bit addresses that solve the IPv4 exhaustion problem. IPv6 is increasingly relevant in security work, particularly in cloud environments.
What Are the Most Important Ports and Protocols?
Section titled “What Are the Most Important Ports and Protocols?”The IANA (Internet Assigned Numbers Authority) maintains the official Service Name and Transport Protocol Port Number Registry, which defines 65,535 available port numbers per transport protocol, with well-known ports 0–1023 reserved for standard services that security professionals must recognise.
Ports are numbered endpoints that allow a single IP address to run multiple services. Port numbers range from 0 to 65535. Well-known ports are 0–1023.
| Port | Protocol | Service |
|---|---|---|
| 21 | TCP | FTP (File Transfer) |
| 22 | TCP | SSH (Secure Shell) |
| 23 | TCP | Telnet (insecure, avoid) |
| 25 | TCP | SMTP (Email sending) |
| 53 | TCP/UDP | DNS (Domain Name System) |
| 80 | TCP | HTTP (Web, unencrypted) |
| 110 | TCP | POP3 (Email retrieval) |
| 143 | TCP | IMAP (Email retrieval) |
| 443 | TCP | HTTPS (Web, encrypted) |
| 445 | TCP | SMB (Windows file sharing) |
| 3389 | TCP | RDP (Remote Desktop) |
| 3306 | TCP | MySQL database |
Memorizing these ports is important for A+ and Security+ exams. More practically, when you see port 22 in a log you know someone is using SSH; port 3389 means RDP — both are common attack vectors.
How Does DNS Work?
Section titled “How Does DNS Work?”DNS (Domain Name System) is the hierarchical naming system defined by IETF RFC 1035 that translates human-readable domain names into IP addresses, handling an estimated billions of queries per day globally and serving as a critical attack surface that defenders must monitor.
DNS (Domain Name System) translates human-readable domain names into IP addresses. When you type mycybersecuritypath.com, your computer queries a DNS server to find the IP address that hosts the site.
DNS query flow:
- Your computer checks its local cache
- If not cached, queries your configured DNS resolver (usually your ISP or a public resolver like
8.8.8.8) - The resolver queries root nameservers, then TLD nameservers, then the authoritative nameserver for the domain
- The IP address is returned and cached
How a DNS Query Works
Section titled “How a DNS Query Works”📊 Visual Explanation
Section titled “📊 Visual Explanation”DNS Resolution Process
How your browser finds the IP address for a domain name
Why DNS matters in security:
- DNS poisoning / cache poisoning redirects users to malicious sites
- DNS tunneling hides data exfiltration inside DNS queries
- Attackers use DNS to identify targets during reconnaissance
- Monitoring DNS queries is a core SOC analyst activity
What Does Networking Look Like in Practice?
Section titled “What Does Networking Look Like in Practice?”You can practice networking concepts on your own computer right now, without any special setup:
Exercise 1: Check your IP address
- Windows: Open Command Prompt and run
ipconfig - Linux/Mac: Open Terminal and run
ip addrorifconfig
Exercise 2: Trace a route
- Windows:
tracert google.com - Linux/Mac:
traceroute google.comThis shows the routers your traffic passes through to reach a destination.
Exercise 3: DNS lookup
- Any OS:
nslookup google.comThis shows what IP address a domain name resolves to.
Exercise 4: View open connections
- Windows:
netstat -ano - Linux/Mac:
ss -tulnpornetstat -tulnpThis shows active network connections and which ports are listening.
Once you are ready to take these commands further in a real lab environment, I walk through the full setup process in How I Set Up My Home Cybersecurity Lab for Free.
Intro to Cybersecurity for Non-ITAvailable Now
Complete beginner guide to cybersecurity for career changers with zero IT background.
Next Steps
Section titled “Next Steps”With networking fundamentals in place, you are ready to connect traffic patterns to actual security decisions. The Security Concepts page shows how ideas like confidentiality, least privilege, and defense in depth sit on top of the networking basics you just learned. The Home Lab Setup guide shows you how to install Wireshark and start analyzing real network traffic. The CompTIA A+ page covers how networking knowledge is tested in your first certification exam.
Networking standards and protocol implementations evolve. Verify port and protocol details against current IANA documentation (iana.org) for authoritative information.
Frequently Asked Questions
What is the OSI model and why does it matter?
The OSI model is a seven-layer framework that describes how data moves between computers. In cybersecurity, it matters because attacks target specific layers — understanding the model helps you identify where an attack occurs and what defenses apply.
Do I need to memorize all port numbers?
You should memorize the most common ports: 22 (SSH), 53 (DNS), 80 (HTTP), 443 (HTTPS), 445 (SMB), and 3389 (RDP). These appear frequently on CompTIA A+ and Security+ exams and in real-world log analysis.
What is the difference between TCP and UDP?
TCP establishes a connection and confirms delivery, making it reliable but slower. UDP sends data without confirmation, making it faster but unreliable. DNS uses UDP for standard queries, while web browsing uses TCP.
What is a subnet mask?
A subnet mask defines which portion of an IP address identifies the network and which identifies the host. For example, a /24 subnet mask means the first 24 bits are the network portion, allowing 254 usable host addresses.
What is DNS and how does it work?
DNS (Domain Name System) translates domain names like google.com into IP addresses. Your computer checks its local cache first, then queries a DNS resolver, which contacts root, TLD, and authoritative nameservers to find the answer.
What is the difference between IPv4 and IPv6?
IPv4 uses 32-bit addresses (like 192.168.1.1) with about 4.3 billion possible addresses. IPv6 uses 128-bit addresses to solve address exhaustion. IPv6 is increasingly relevant in cloud and modern network environments.
What are private IP addresses?
Private IP addresses are reserved ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x) used inside local networks. They are not routable on the public internet. When you see these in logs, you are looking at internal network traffic.
How much networking do I need for cybersecurity?
You need a solid understanding of TCP/IP, DNS, common ports, and basic routing — roughly what CompTIA Network+ covers. You do not need to become a network engineer, but you must recognize normal vs abnormal traffic patterns.
What is ARP and why is it a security concern?
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. ARP spoofing attacks exploit the fact that ARP has no authentication, allowing attackers to intercept traffic in a man-in-the-middle attack.
What tools can I use to practice networking?
Start with built-in commands: ping, traceroute, nslookup, and netstat. Then move to Wireshark for packet analysis and Nmap for network scanning. TryHackMe's Pre-Security path provides browser-based labs for hands-on practice.