Security Basics
Network Security Basics
This lesson covers
The TCP/IP model from a security perspective → Ports, protocols, and what attackers target → Packet capture and traffic analysis → DNS — the protocol attackers abuse constantly → TLS and what encrypted traffic still reveals → Network reconnaissance with real tools
Every attack crosses a network at some point. Malware phones home. Attackers move laterally between systems. Credentials travel across connections. Data gets exfiltrated. The network is both the highway attackers use and the place defenders have the clearest view of what's happening. Understanding how traffic moves — and where it can be intercepted, filtered, or blocked — is foundational to every security role from SOC analyst to penetration tester.
The TCP/IP model — a security lens
The TCP/IP model describes how data moves across networks in four layers. Security controls map directly onto these layers — understanding which layer a control operates at tells you what it can and can't see, and what it can and can't stop.
④ Application Layer
HTTP, DNS, SMTP, SSH, TLS. Where application data lives. WAFs, DLP, and proxy inspection operate here. Encrypted traffic limits visibility at this layer.
③ Transport Layer
TCP and UDP. Port numbers live here. Firewalls filtering by port operate at this layer — they see source, destination, and port but not application content.
② Internet Layer
IP addresses and routing. Network-layer firewalls and IDS sensors operate here. IP-based blocking, routing controls, and geo-filtering live at this layer.
① Network Access Layer
Ethernet, MAC addresses, physical transmission. 802.1X port authentication and MAC filtering operate here. ARP spoofing attacks this layer.
Ports and protocols — the attacker's map
Ports are logical endpoints — numbers from 0 to 65535 that tell the OS which service a packet is destined for. Well-known ports (0–1023) are assigned to standard services. Knowing which services run on which ports, and which of those services have common vulnerabilities, is part of the basic mental model every security professional carries.
| Port | Protocol | Service | Security concern |
|---|---|---|---|
| 22 | TCP | SSH | Brute-force, credential stuffing — harden immediately |
| 23 | TCP | Telnet | Plaintext credentials — disable immediately |
| 53 | UDP/TCP | DNS | DNS tunnelling, exfiltration, cache poisoning |
| 80 / 443 | TCP | HTTP / HTTPS | Web attacks, C2 over HTTPS, data exfiltration |
| 445 | TCP | SMB | EternalBlue, lateral movement — never expose to internet |
| 3306 | TCP | MySQL | Direct database exposure — should never be internet-facing |
| 3389 | TCP | RDP | BlueKeep, brute-force — restrict to VPN only |
Packet capture — seeing the traffic
Packet capture is the practice of recording raw network traffic for analysis. It's used in incident response to understand what data left a network, in penetration testing to intercept credentials, and in network troubleshooting to diagnose communication failures. tcpdump is the command-line tool. Wireshark is the GUI equivalent.
# Capture all traffic on interface eth0
tcpdump -i eth0
# Capture only traffic to/from a specific host
tcpdump -i eth0 host 192.168.1.50
# Capture only DNS traffic (port 53)
tcpdump -i eth0 port 53
# Capture HTTP traffic and show packet contents
tcpdump -i eth0 -A port 80
# Save capture to file for Wireshark analysis
tcpdump -i eth0 -w /tmp/capture.pcap
# Read a saved capture and filter for failed TCP handshakes (SYN with no SYN-ACK)
tcpdump -r /tmp/capture.pcap 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack == 0'What just happened
The -A flag on the HTTP capture prints packet payloads as ASCII — on unencrypted HTTP traffic, this means you're reading actual request bodies, form submissions, and sometimes credentials in plaintext. The final filter captures TCP SYN packets without a corresponding ACK — the signature of a port scan or a connection attempt to a closed port. A flood of these from a single IP is a reconnaissance scan in progress.
DNS — the protocol that leaks everything
DNS translates domain names into IP addresses. It's also one of the most abused protocols in offensive security — used for command and control communication, data exfiltration, and network reconnaissance. Most organisations allow DNS traffic to pass their firewalls without inspection because blocking it would break the internet. Attackers know this.
DNS tunnelling encodes arbitrary data inside DNS queries and responses, effectively creating a covert communication channel through a protocol that firewalls almost never block. Malware that can't make a direct TCP connection out can still exfiltrate data by encoding it into subdomains: aGVsbG8.attacker-domain.com — the subdomain is base64-encoded payload.
# Manual DNS queries — understand what's resolving
dig example.com A # A record — IPv4 address
dig example.com MX # Mail servers
dig example.com TXT # Text records (SPF, DKIM, domain verification)
dig example.com NS # Nameservers
# Reverse DNS lookup — who owns this IP?
dig -x 8.8.8.8
# Detect potential DNS tunnelling — look for unusually long subdomains
# Legitimate DNS queries rarely exceed 50 characters in the subdomain
tcpdump -i eth0 -l port 53 | awk '{
if (length($NF) > 50) print "SUSPICIOUS LONG DNS QUERY: " $NF
}'
# Check your system's DNS resolver config
cat /etc/resolv.conf
# Flush DNS cache (useful after DNS poisoning)
systemd-resolve --flush-cachesWhat just happened
The dig commands cover the records that matter for security — TXT records often reveal email security configurations (SPF, DKIM), nameserver records reveal infrastructure, and MX records show where an organisation's mail goes. The DNS tunnelling detector is a simple heuristic: legitimate hostnames are short, tunnelled data encoded in subdomains is long. It's not foolproof but it catches the majority of unsophisticated DNS tunnelling tools with zero configuration.
TLS — encrypted but not invisible
TLS encrypts the content of network connections — preventing anyone intercepting the traffic from reading the payload. But TLS doesn't hide everything. The TLS handshake exposes the Server Name Indication (SNI) — the hostname the client is connecting to — in plaintext. IP addresses and connection metadata are always visible. Certificate details are visible. Timing and volume patterns are visible.
An analyst watching encrypted HTTPS traffic can't read the content, but can still see that a machine inside the network connected to a known malware C2 domain — the SNI gives it away. This is why DNS and SNI logging is part of modern network security monitoring even in fully encrypted environments.
# Inspect a TLS certificate — what is this server presenting?
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null |
openssl x509 -noout -text | grep -E "Subject:|Issuer:|Not Before:|Not After:"
# Check what TLS versions and ciphers a server supports
nmap --script ssl-enum-ciphers -p 443 example.com
# Capture TLS SNI fields from live traffic (plaintext in handshake)
tcpdump -i eth0 -A port 443 2>/dev/null |
grep -oP '(?<=\x00\x00)[\x20-\x7e]{4,}' | grep '\.' | head -20
# Test for weak TLS configuration (requires testssl.sh)
./testssl.sh example.comWhat just happened
The openssl s_client command inspects what a server is actually presenting — the certificate issuer, subject, and validity window. Self-signed certs, expired certs, or certs issued to unexpected subjects are all red flags. The nmap cipher enumeration reveals whether a server still supports deprecated TLS 1.0 or weak cipher suites like RC4 — both are exploitable by downgrade attacks. testssl.sh automates this into a comprehensive report used in penetration tests and security audits.
Instructor's Note
Network security fundamentals feel abstract until you actually run a packet capture on a live network. The first time you watch credentials travel across unencrypted HTTP in plaintext, or see a machine in your lab making DNS queries to a suspicious domain, the concepts become permanent. Build a small lab — two VMs on a host-only network — and run tcpdump while generating traffic between them. Everything in this lesson becomes obvious the moment you can see the packets.
Practice Questions
Malware encodes stolen data into DNS subdomain queries sent to an attacker-controlled nameserver — bypassing firewall restrictions because DNS is almost never blocked. What technique is this?
TLS encrypts payload content but exposes one field in the handshake in plaintext that reveals which hostname the client is connecting to. What is this field called?
The TCP port used by SMB — exploited by EternalBlue and used extensively for lateral movement in Windows environments. It should never be exposed to the internet.
Quiz
A tcpdump filter shows hundreds of TCP SYN packets from a single external IP with no SYN-ACK responses from the server. What does this pattern indicate?
A firewall allows all outbound traffic on port 443. Malware on an internal host communicates with its C2 server over HTTPS on port 443. Why does the firewall not block this?
A network analyst is hunting for DNS tunnelling in captured traffic. Without a threat intelligence feed, what pattern in raw DNS queries is the most reliable indicator of potential tunnelling activity?
Up Next · Lesson 15
Firewalls & Access Control
Stateful vs stateless, next-gen firewalls, and the access control lists that decide what traffic lives and what traffic dies.