Module 1 · Networking Fundamentals 🔒

If you want to work in cybersecurity, you have to be fluent in networks. Not because every job requires deep network engineering skills, but because every attack moves over a network, every defence inspects network traffic, and every tool you’ll touch assumes you already know what an IP address is and why ports 22 and 445 are different. This module gets you to the baseline competence point where the rest of the Networking path makes sense.

What networking actually is

Networking is how computers talk to each other. That’s it. Every complication — protocols, addresses, ports, layers — exists because getting a message from one computer to another is a harder problem than it looks, and over 50 years of engineering we’ve evolved specific solutions to specific sub-problems.

Two computers can’t just “send data” to each other. Something has to decide:

• How the data is physically transmitted (electrical signals? light? radio?)
• How to identify the sender and receiver
• How to split big messages into packets that fit on the network
• What to do if packets arrive out of order or get lost
• How to know which application on the destination machine the data is for
• How to represent the data in a way the receiving application understands

Each of these concerns became a “layer” — and the OSI model is how we talk about them.

The OSI 7-layer model

OSI stands for Open Systems Interconnection. It’s an abstract reference model from 1984, and every networking textbook teaches it. The seven layers are:

In practice, you’ll spend 90% of your attention on layers 3, 4, and 7. The others exist but rarely need conscious thought.

Memory aid: “Please Do Not Throw Sausage Pizza Away” — Physical, Data Link, Network, Transport, Session, Presentation, Application.

TCP/IP — the pragmatic reality

OSI is the textbook model. TCP/IP is what the internet actually runs on. It collapses OSI’s seven layers into four practical ones, and that’s what you’ll see in every real-world tool.

IP addresses — identity on the internet

Every device on a network has an IP address. Think of it as a postal address for computers. There are two versions:

• IPv4 — four numbers separated by dots, each 0–255. Example: 192.168.1.10. Gives about 4.3 billion possible addresses. The original, still dominant.
• IPv6 — eight groups of four hex characters. Example: 2001:0db8:85a3::8a2e:0370:7334. Gives 340 undecillion addresses. The future, still rolling out.

IPv4 addresses come in two flavours:

• Public IPs — unique on the internet, routable globally. Your home router has one assigned by your ISP.
• Private IPs — only valid inside a local network. Three reserved ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. These are what devices inside your home or office use.

Subnet masks and CIDR

A subnet mask tells a device which portion of an IP address is the “network” and which is the “host”. Example:

IP:          192.168.1.10
Subnet mask: 255.255.255.0

The mask 255.255.255.0 means: the first three octets (192.168.1) identify the network; the last octet (10) identifies the specific host.

CIDR notation is a shorthand for the same thing. Instead of writing the whole mask, we write how many bits are in the network portion:

• 192.168.1.0/24 → first 24 bits are network, last 8 are host. Same as mask 255.255.255.0. Allows 254 hosts.
• 10.0.0.0/8 → first 8 bits are network, last 24 are host. Allows 16,777,214 hosts.
• 172.16.0.0/16 → first 16 bits are network, last 16 are host. Allows 65,534 hosts.

TCP vs UDP — reliable vs fast

Both TCP and UDP live at the Transport layer. They decide how data is delivered, but they make different trade-offs.

TCP (Transmission Control Protocol) is reliable. It establishes a connection (the “three-way handshake”: SYN → SYN-ACK → ACK), numbers every packet, requires acknowledgments, and retransmits lost packets. If you need every byte to arrive in order, you use TCP.

UDP (User Datagram Protocol) is fast. No handshake, no acknowledgments, no retransmission. Packets go out and may or may not arrive. If you lose one, too bad. But you get low overhead and low latency.

Ports — identifying the application

An IP address gets data to the right machine. A port gets it to the right application on that machine. Ports are numbers from 0 to 65535.

Every security practitioner should recognise these common ports on sight:

Ports 0–1023 are “well-known ports” reserved for system services. Ports 1024–49151 are registered for specific applications. Ports 49152–65535 are dynamic/private and used for outgoing connections.

ARP, DNS, DHCP — the quiet helpers

Three protocols every network relies on, mostly invisibly:

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. When your laptop wants to send a packet to 192.168.1.1, it shouts “who has 192.168.1.1?” and the router replies with its MAC address. ARP only works on the local network.

DNS (Domain Name System) maps human-readable names (google.com) to IP addresses (142.250.183.110). Without DNS, you’d have to memorise IPs for every site. DNS uses UDP on port 53 (TCP for large responses).

DHCP (Dynamic Host Configuration Protocol) automatically assigns an IP address, subnet mask, default gateway, and DNS server to a device when it joins a network. Without DHCP, every device would need manual IP configuration. Uses UDP ports 67 (server) and 68 (client).

Why this matters for security

Every attack has network artefacts. An attacker scanning for SSH sees port 22 responses. A phishing link resolves via DNS. Malware calls home via HTTP. Ransomware spreads over SMB (port 445). If you can’t read network traffic, you can’t do security work at any meaningful level.

This module gets you to recognise the pieces. The next module teaches you to inspect real packets with Wireshark and tcpdump. By the end of the Networking path, you’ll read a packet capture the way a programmer reads code.

Quick reference summary

• OSI: 7 layers (Physical → Application). Real-world focus: layers 3, 4, 7.
• TCP/IP: 4 practical layers. What the internet actually uses.
• IPv4: dotted quads (e.g. 192.168.1.10). IPv6: hex groups, much longer.
• Private ranges: 10/8, 172.16/12, 192.168/16.
• CIDR: /24 = 256 addresses, /16 = 65k, /8 = 16M.
• TCP: reliable, connection-based, handshake. UDP: fast, no guarantees.
• Key ports: 22 (SSH), 53 (DNS), 80 (HTTP), 443 (HTTPS), 445 (SMB), 3389 (RDP).
• ARP: IP→MAC on local network. DNS: name→IP. DHCP: auto-assign IP.

Take the quiz below to confirm you’ve absorbed the material. Pass with 70%+ to mark this module complete and unlock the next one.