Skip to content
Lesson 2 of 8

How Networks Work

4 min read

Why a Security Professional Needs to Understand Networks

You cannot protect what you do not understand. The vast majority of attacks —from initial scanning to data exfiltration— travel across the network. Understanding how devices communicate lets you recognize what is normal traffic and what is suspicious, where to place defenses, and how attackers think when probing a target.

A network is, in essence, a set of devices that exchange data following common rules called protocols. When you open a web page, your browser and the remote server carry out a carefully choreographed conversation of protocols stacked on top of one another. Understanding that stack is the first step toward defense.

IP Addresses: Identity on the Network

Every device connected to a network has an IP address (Internet Protocol) that uniquely identifies it within that network. In IPv4, this address takes the form of four numbers separated by dots, such as 192.168.1.10, where each number ranges from 0 to 255. Because IPv4 addresses ran out, today it coexists with IPv6, which uses much longer addresses in hexadecimal format.

There are public addresses, routable on the Internet, and private addresses (such as the 192.168.x.x or 10.x.x.x ranges) that only work within local networks. The NAT (Network Address Translation) technique lets many private devices share a single public address. For an attacker, discovering an organization's address range is one of the first steps of reconnaissance.

Ports and the TCP/IP Model

If the IP address identifies the device, ports identify the specific service within that device. A server can run many services at once: a website on port 443 (HTTPS), mail on 25 (SMTP), remote SSH access on 22. There are 65,535 ports, and the first 1,024 are known as "well-known" ports because they are reserved for standard services.

The TCP/IP model organizes communication into layers. At the transport layer two key protocols coexist: TCP (Transmission Control Protocol), connection-oriented and reliable, which guarantees that data arrives complete and in order through a setup process called the three-way handshake (SYN, SYN-ACK, ACK); and UDP (User Datagram Protocol), faster but without guarantees, used by services such as streaming or DNS.

Understanding ports and protocols is essential because a service exposed on an open port is a potential entry point. Tools like Nmap (nmap -sV 192.168.1.10) let you scan which ports are open and which services run behind them —something both defenders do to audit and attackers do to map targets.

DNS: the Phone Book of the Internet

People remember names like example.com, but machines communicate by IP addresses. DNS (Domain Name System) is the system that translates domain names into IP addresses. When you type a URL, your machine queries a DNS server that responds with the corresponding IP, and only then is the real connection established.

DNS is so central that it has become a frequent target. Attacks such as DNS spoofing or cache poisoning redirect victims to malicious servers without their noticing. DNS tunneling, in turn, abuses DNS queries to smuggle data out of a network covertly. That is why monitoring DNS traffic is a valuable defensive practice.

From the Network to Security

With these fundamentals, you can already see the network as a map of possible attack paths and control points. A firewall filters traffic based on IPs and ports; an intrusion detection system (IDS) analyzes suspicious patterns; network segmentation limits how far an attacker can move once inside.

In the following lessons we will apply this knowledge by studying concrete threats and how they take advantage of network services, as well as the cryptographic tools that protect information while it travels through these channels.