Network models and the protocols that matter
OSI vs TCP/IP, encapsulation, and the core protocols you must be able to reason about: IP, TCP, UDP, DNS, DHCP, ARP.
~5 min read
Two models, one reality
Networks are taught as layered models because layering lets each part evolve independently. You can swap Wi-Fi for Ethernet without rewriting your web browser. Two models dominate.
The OSI model has seven layers and is the common vocabulary ("that's a layer 7 attack"). The TCP/IP model has four and is what the internet actually runs. Learn the OSI layers cold; questions reference them constantly.
| OSI layer | Name | Job | Examples |
|---|---|---|---|
| 7 | Application | What the user or app sees | HTTP, DNS, SMTP |
| 6 | Presentation | Formatting, encryption | TLS, encoding |
| 5 | Session | Managing connections | session setup/teardown |
| 4 | Transport | End-to-end delivery | TCP, UDP |
| 3 | Network | Routing between networks | IP, ICMP |
| 2 | Data link | Same-network delivery | Ethernet, MAC, ARP |
| 1 | Physical | Bits on the wire | cables, radio |
A mnemonic for 7→1: All People Seem To Need Data Processing. The TCP/IP model collapses these into Application (7–5), Transport (4), Internet (3) and Network Access / Link (2–1).
Where security lives: firewalls filtering ports operate at layer 4, a WAF inspecting HTTP is layer 7, ARP spoofing is layer 2, and TLS sits around layer 6. Being able to say "this attack or control is at layer X" is half of network-security exam technique.
Encapsulation
As data goes down the stack on the sender, each layer wraps it with its own header, and the link layer adds a trailer. The receiver reverses this up the stack. The names of the wrapped units matter:
- Transport layer → segment (TCP) or datagram (UDP)
- Network layer → packet (with source/destination IP)
- Data link layer → frame (with source/destination MAC)
So your HTTP request ends up as application data inside a TCP segment inside an IP packet inside an Ethernet frame. An attacker capturing traffic sees all these layers at once, which is exactly what Wireshark displays.
IP addressing basics
IPv4 addresses are 32 bits, written as four octets (192.168.1.10). A subnet mask or CIDR suffix (/24) splits the address into a network part and a host part. /24 means the first 24 bits identify the network, leaving 8 bits (256 addresses, 254 usable) for hosts.
Private ranges (RFC 1918) are not routable on the internet and sit behind NAT:
10.0.0.0/8172.16.0.0/12192.168.0.0/16
IPv6 uses 128-bit addresses (e.g. 2001:db8::1), solving IPv4 exhaustion. Know that it exists, that it is often dual-stacked alongside IPv4, and that forgetting to firewall the IPv6 path is a real-world oversight.
The transport layer: TCP vs UDP
This contrast comes up everywhere.
TCP is connection-oriented and reliable. It guarantees ordered, complete delivery through sequence numbers, acknowledgements and retransmission. It opens with the three-way handshake:
- Client → server: SYN (request to talk, here's my sequence number)
- Server → client: SYN-ACK (agreed, here's mine)
- Client → server: ACK (confirmed): connection established
This handshake is the basis of several attacks and scans. A SYN flood sends many SYNs and never completes the handshake, exhausting the server's half-open connection table (a DoS). A SYN/half-open scan does the same to learn which ports respond without fully connecting.
UDP is connectionless and unreliable: fire and forget, with no handshake, ordering or retransmission. Lower overhead and latency mean it's used for DNS, DHCP, NTP, VoIP, gaming and video. Its lack of handshake also makes it the workhorse of amplification DDoS (spoof the victim's address, send a small query to a service that replies with a huge response).
| TCP | UDP | |
|---|---|---|
| Connection | Yes (handshake) | No |
| Reliability | Guaranteed, ordered | Best effort |
| Speed/overhead | Higher overhead | Lower, faster |
| Uses | Web, email, file transfer | DNS, DHCP, streaming, VoIP |
Supporting protocols you'll be asked about
DNS resolves names to IP addresses (port 53). It's foundational and frequently abused. DNS spoofing/cache poisoning feeds a resolver false records, and DNS tunnelling smuggles data inside DNS queries to bypass filtering and exfiltrate. DNSSEC adds integrity (signed records) but not confidentiality, while DoH/DoT add confidentiality by wrapping DNS in TLS.
DHCP automatically assigns IP configuration (ports 67/68) via the DORA exchange: Discover, Offer, Request, Acknowledge. A rogue DHCP server can hand clients a malicious gateway/DNS, setting up a man-in-the-middle.
ARP maps IP addresses to MAC addresses on the local network (layer 2). It has no authentication, so a host can simply claim to own any IP. That's the basis of ARP spoofing/poisoning, which redirects a victim's traffic through the attacker, and it underpins most local-network man-in-the-middle attacks.
ICMP is the network's diagnostic protocol, used by ping and traceroute. It's useful to defenders and attackers alike (host discovery, and historically tunnelling).
NAT (Network Address Translation) lets many private hosts share one public IP. It's not a security control, but it does incidentally hide internal addressing and block unsolicited inbound connections.
Quick recall
- OSI 7→1: Application, Presentation, Session, Transport, Network, Data link, Physical. Be able to place an attack at a layer.
- Encapsulation: segment (TCP) → packet (IP) → frame (Ethernet/MAC).
- TCP = reliable, connection-oriented, three-way handshake (SYN, SYN-ACK, ACK). UDP = fast, connectionless, used for DNS/DHCP/streaming.
- DNS (53), DHCP (67/68, DORA), ARP (no auth → spoofing), ICMP (ping/traceroute).
- Private ranges: 10/8, 172.16/12, 192.168/16; behind NAT, not internet-routable.