TCP/IP Networking Basics for Security Professionals
A concise overview of the TCP/IP model, how data flows across networks, and why understanding it matters for cybersecurity.
Last updated Apr 7, 2026Current
Continue your mission
A concise overview of the TCP/IP model, how data flows across networks, and why understanding it matters for cybersecurity.
You cannot defend a network you do not understand. Every attack, from port scanning to man-in-the-middle interception, exploits the mechanics of how networks transmit data. Understanding TCP/IP gives you the foundation to recognize what normal traffic looks like and spot what does not belong.
The TCP/IP model organizes network communication into four layers, each with a specific responsibility.
The Network Access Layer handles the physical transmission of data across a specific medium: Ethernet cables, Wi-Fi radio waves, or fiber optics. Devices at this layer are identified by MAC addresses. Switches operate here, forwarding frames to the correct port based on MAC address tables. Attacks at this layer include ARP spoofing, where an attacker associates their MAC address with another device's IP address to intercept traffic.
The Internet Layer manages addressing and routing. IP (Internet Protocol) assigns logical addresses to devices and determines how packets travel from source to destination across multiple networks. Routers operate at this layer. Each packet contains a source IP and destination IP. Attackers exploit this layer through IP spoofing, where they forge the source address to disguise the origin of an attack.
The Transport Layer provides end-to-end communication between applications. TCP (Transmission Control Protocol) offers reliable, ordered delivery with connection establishment via a three-way handshake: SYN, SYN-ACK, ACK. UDP (User Datagram Protocol) provides faster, connectionless delivery without guarantees. Port numbers at this layer identify specific services. Attacks targeting this layer include SYN floods, which exhaust a server's connection table by sending thousands of SYN packets without completing the handshake.
The Application Layer is where user-facing protocols operate: HTTP for web traffic, DNS for name resolution, SMTP for email, SSH for secure remote access. Most vulnerabilities that security teams encounter exist at this layer, including SQL injection, cross-site scripting, and command injection.
Ports are numbered endpoints (0-65535) that identify specific services on a device. Well-known ports include 22 (SSH), 53 (DNS), 80 (HTTP), 443 (HTTPS), and 3389 (RDP). When you run a port scan with Nmap, you are checking which ports are open and listening on a target system.
The three-way handshake establishes TCP connections. Your machine sends a SYN, the server replies with SYN-ACK, and your machine completes the process with ACK. Understanding this is critical for interpreting packet captures and recognizing anomalies like half-open connections.
DNS resolution translates human-readable domain names into IP addresses. When you type a URL, your system queries a DNS resolver, which may query root servers, TLD servers, and authoritative nameservers. DNS is a frequent attack vector because it is often unencrypted and implicitly trusted.
NAT (Network Address Translation) allows multiple devices on a private network to share a single public IP address. While not a security control, NAT obscures internal network structure from external observers.
When you analyze a packet capture in Wireshark, you are reading data organized by these layers. Understanding TCP/IP lets you answer questions like: Why is this device sending DNS queries to an external server instead of our internal resolver? Why are there SYN packets to port 445 coming from a workstation that should not be running SMB? Why is this connection using an unusual combination of TCP flags?
Every security tool you use, from firewalls to intrusion detection systems, operates by examining and filtering traffic at one or more of these layers.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.