Chapter 3: Network Fundamentals for Security Professionals
Learn TCP/IP, DNS, DHCP, HTTP, HTTPS, FTP, SSH, VPN, and network architecture for cyber security analysis.
Architecture
& Ports
Analysis
Controls
3.1 Chapter Overview
Networks allow devices to communicate, share resources and access services. Cyber security professionals must understand how networks work because most attacks, investigations and defenses involve network communication.
Security analysts use network knowledge to investigate suspicious traffic, understand logs, detect unauthorized access, review firewall rules, analyze DNS activity, identify risky services and support incident response.
3.2 Learning Objectives
- Explain the purpose of computer networks in cyber security.
- Understand TCP/IP and the network communication process.
- Identify IP addresses, subnets, gateways and ports.
- Explain DNS and DHCP roles in enterprise networks.
- Differentiate HTTP, HTTPS, FTP, SSH and VPN.
- Understand common ports and their security relevance.
- Recognize network architecture components such as LAN, WAN, DMZ and firewall.
- Use basic network commands for security investigation.
3.3 Why Networking Matters in Cyber Security
Threat Detection
Unusual traffic patterns may indicate malware, scanning or data exfiltration.
Incident Response
Analysts trace attacker IPs, affected hosts and communication paths.
Access Control
Firewalls, VPNs and segmentation control who can communicate.
Log Analysis
Network logs contain IP addresses, ports, protocols and timestamps.
3.4 TCP/IP Model
The TCP/IP model explains how data moves across networks. It helps security professionals understand where attacks and controls may occur.
| Layer | Purpose | Examples | Security Relevance |
|---|---|---|---|
| Application | User-facing protocols and services. | HTTP, HTTPS, DNS, FTP, SSH | Web attacks, DNS abuse, weak services. |
| Transport | Controls end-to-end communication. | TCP, UDP | Port scanning, session analysis. |
| Internet | Routes packets between networks. | IP, ICMP | IP spoofing, ping scans, routing attacks. |
| Network Access | Local network communication. | Ethernet, Wi-Fi, MAC | ARP spoofing, rogue devices, wireless attacks. |
TCP vs UDP
| TCP | UDP |
|---|---|
| Connection-oriented | Connectionless |
| Reliable delivery | Faster but less reliable |
| Used by HTTPS, SSH, FTP | Used by DNS, DHCP, streaming |
| Three-way handshake | No handshake |
3.5 IP Addressing and Ports
An IP address identifies a device on a network. A port identifies a service running on that device.
| Term | Meaning | Example |
|---|---|---|
| IP Address | Network address of a device. | 192.168.1.10 |
| Subnet Mask | Defines network and host portion. | 255.255.255.0 |
| Gateway | Router used to reach other networks. | 192.168.1.1 |
| Port | Service endpoint on a host. | 443 for HTTPS |
| Public IP | Routable on the internet. | ISP-assigned IP |
| Private IP | Used inside local networks. | 10.x.x.x, 172.16-31.x.x, 192.168.x.x |
Common Ports
| Port | Protocol | Service | Security Note |
|---|---|---|---|
| 20/21 | TCP | FTP | Often insecure because credentials may be exposed. |
| 22 | TCP | SSH | Secure remote administration; protect with strong authentication. |
| 53 | UDP/TCP | DNS | Important for domain resolution and threat detection. |
| 67/68 | UDP | DHCP | Assigns IP addresses automatically. |
| 80 | TCP | HTTP | Unencrypted web traffic. |
| 443 | TCP | HTTPS | Encrypted web traffic. |
| 3389 | TCP | RDP | High-risk if exposed to internet. |
3.6 Network Commands for Investigation
Windows Commands
ipconfig /all ping 8.8.8.8 tracert google.com nslookup perakskills.com netstat -ano
Linux Commands
ip addr ping 8.8.8.8 traceroute google.com dig perakskills.com ss -tulnp
| Command | Purpose |
|---|---|
| ping | Checks basic network reachability. |
| tracert / traceroute | Shows route path to destination. |
| nslookup / dig | Checks DNS resolution. |
| netstat / ss | Shows network connections and listening ports. |
| ipconfig / ip addr | Shows local IP configuration. |
3.7 DNS - Domain Name System
DNS converts domain names into IP addresses. Without DNS, users would need to remember IP addresses instead of website names.
Common DNS Records
| Record | Purpose | Example |
|---|---|---|
| A | Maps domain to IPv4 address. | example.com → 93.184.216.34 |
| AAAA | Maps domain to IPv6 address. | IPv6 address mapping |
| CNAME | Alias for another domain. | www → main domain |
| MX | Mail server record. | Email routing |
| TXT | Text data for verification/security. | SPF, DKIM, domain verification |
DNS Security Concerns
- Malware may contact command-and-control domains.
- Phishing sites use deceptive domains.
- DNS tunneling may hide data exfiltration.
- Incorrect DNS records can affect availability.
3.8 DHCP - Dynamic Host Configuration Protocol
DHCP automatically assigns IP configuration to devices. It provides IP address, subnet mask, gateway and DNS server details.
DHCP Security Risks
| Risk | Description | Control |
|---|---|---|
| Rogue DHCP Server | Unauthorized server gives wrong network settings. | DHCP snooping on switches. |
| IP Exhaustion | Attacker consumes available IP addresses. | Network access control and monitoring. |
| Wrong DNS Assignment | Clients may be sent to malicious DNS server. | Monitor DHCP configuration. |
3.9 HTTP and HTTPS
HTTP and HTTPS are web protocols. HTTP sends data in clear text, while HTTPS encrypts communication using TLS.
| Feature | HTTP | HTTPS |
|---|---|---|
| Default Port | 80 | 443 |
| Encryption | No encryption | Encrypted with TLS |
| Security | Data can be intercepted | Protects data in transit |
| Use | Legacy or non-sensitive sites | Login, banking, portals, business systems |
HTTP Methods
| Method | Purpose | Security Relevance |
|---|---|---|
| GET | Request data. | Sensitive data should not be placed in URL. |
| POST | Submit data. | Used for forms and login. |
| PUT | Update resource. | Should be restricted. |
| DELETE | Delete resource. | High-risk if exposed. |
3.10 FTP, SSH and VPN
FTP - File Transfer Protocol
FTP is used to transfer files but is generally insecure because it may transmit credentials and data without encryption.
SSH - Secure Shell
SSH provides secure remote command-line access, commonly used for Linux server administration.
VPN - Virtual Private Network
A VPN creates an encrypted tunnel between a user and a private network. It is commonly used for remote work and secure access.
| Protocol | Default Port | Purpose | Security Note |
|---|---|---|---|
| FTP | 21 | File transfer | Prefer SFTP or FTPS. |
| SSH | 22 | Secure remote access | Use keys, MFA and disable weak passwords. |
| SFTP | 22 | Secure file transfer over SSH | Safer than FTP. |
| VPN | Varies | Encrypted remote access | Requires strong authentication. |
3.11 Network Architecture
Network architecture describes how devices, servers, users and security controls are arranged.
| Architecture Component | Description | Security Purpose |
|---|---|---|
| LAN | Local Area Network inside office or building. | Connects internal devices. |
| WAN | Connects networks across locations. | Supports branches and remote sites. |
| DMZ | Separated zone for public-facing servers. | Protects internal network from internet exposure. |
| Firewall | Controls allowed and blocked traffic. | Enforces network access rules. |
| IDS/IPS | Detects or blocks suspicious traffic. | Threat detection and prevention. |
| Proxy | Intermediary for web access. | Filtering, logging and control. |
| SIEM | Central log and alert system. | Security monitoring and investigation. |
3.12 Network Segmentation
Network segmentation separates systems into zones. It reduces the impact of compromise and limits attacker movement.
User Network
Workstations and user devices.
Server Network
Business application and database servers.
Guest Network
Internet access for visitors without internal access.
DMZ
Public-facing systems separated from internal assets.
3.13 Basic Network Threats
| Threat | Description | Example Control |
|---|---|---|
| Port Scanning | Attacker checks open services. | Firewall and monitoring. |
| DNS Abuse | Malicious domains or DNS tunneling. | DNS filtering and logs. |
| Man-in-the-Middle | Attacker intercepts communication. | HTTPS, VPN, secure Wi-Fi. |
| Rogue Device | Unauthorized device connects to network. | NAC and switch security. |
| Data Exfiltration | Unauthorized data transfer out of network. | DLP, proxy logs and traffic monitoring. |
3.14 Interactive Port Risk Checker
Enter a port number to see its common service and security note.
3.15 Practical Activities
Activity 1: IP Configuration
Run ipconfig /all on Windows or ip addr on Linux. Identify IP address, gateway and DNS server.
Activity 2: DNS Lookup
Use nslookup or dig to check DNS records for a domain.
Activity 3: Port Identification
Create a table of 10 common ports and their services.
Activity 4: Network Diagram
Draw a simple network architecture showing internet, firewall, DMZ, internal network and servers.
Mini Project
Create a network security checklist covering open ports, DNS, DHCP, firewall rules, VPN access and network segmentation.
3.16 Interactive Final Assessment Quiz
Each correct answer gives +1 mark. Each wrong answer gives -0.5 mark.
1. TCP/IP explains how devices communicate over networks.
2. DNS is used to:
3. DHCP automatically assigns IP configuration to devices.
4. HTTPS commonly uses which port?
5. FTP is generally safer than SFTP.
6. SSH commonly uses port 22.
7. A VPN creates an encrypted tunnel for secure access.
8. A DMZ is used for:
9. Network segmentation can limit attacker movement.
10. Port 80 is commonly used by HTTP.
Your Score: 0
3.17 Chapter Summary
In this chapter, learners studied network fundamentals for security professionals, including TCP/IP, IP addressing, ports, DNS, DHCP, HTTP, HTTPS, FTP, SSH, VPN and network architecture. These concepts are essential for cyber security monitoring, investigation and defense.