Network Security
What is Network Security?
Map the full landscape of network threats and defenses so you can identify what needs protecting and why it matters before a single rule is written.
A $4.45 Million Wake-Up Call
In 2023, IBM calculated the average cost of a single data breach at $4.45 million. That number covers forensics, legal fees, regulatory fines, customer notification, and the slow erosion of brand trust — but it does not capture the three-to-five-year ripple effect of customers who simply leave and never come back.
Most of those breaches started somewhere unremarkable: an open port no one remembered enabling, a password sprayed across a login page overnight, an email link clicked on a Tuesday afternoon. Network security is not a product you buy once. It is a discipline that treats every connection, every device, and every user as a potential entry point — and then makes it as hard as possible for the wrong traffic to get through.
How a Security Incident Typically Unfolds
Reconnaissance — an attacker maps the target, probing for open ports, software versions, and exposed services before touching anything.
Initial access — a vulnerability is exploited, a credential is guessed, or a phishing email convinces someone to hand over a session token.
Lateral movement — once inside, the attacker moves quietly across the network, escalating privileges and harvesting credentials.
Objective achieved — data is exfiltrated, ransomware is deployed, or the infrastructure is held hostage — often weeks after step one.
Detection & response — ideally the security team catches it early; more often they find out from a third party or a ransom note.
Network security exists to interrupt that chain at every possible stage — and ideally to detect the attempt before step two even completes. That requires understanding the full surface of the network: what is connected, what is running, and what those things are allowed to do.
Meet TechPulse — Your 40-Lesson Lab
TechPulse is a fast-growing tech startup with 200 employees spread across three cities and a significant remote workforce. Every lesson in this module follows TechPulse's IT and security team as they design, build, defend, and occasionally fix their network infrastructure.
The company runs five departments, each with distinct security needs. Marketing manages public-facing campaigns and ad platforms, generating constant outbound traffic to third-party services. Content handles media assets and internal publishing tools on shared drives. Engineering maintains production servers, CI/CD pipelines, and cloud infrastructure — the highest-value target in the building. Support connects to customer data all day via web apps and VPNs. Data runs analytics pipelines that pull from both internal databases and external APIs.
TechPulse's network has three tiers. The HQ office LAN in the main building connects 120 workstations, printers, IP cameras, and meeting room hardware on a flat internal network that the security team is actively trying to segment. The data center rack in a co-location facility hosts production databases, application servers, and a legacy reporting system that nobody wants to touch. The cloud environment on AWS runs microservices, a CDN, and an S3 storage layer for the Content team.
Confidentiality
Only the right people see the right data. Encryption, access controls, and network segmentation enforce this across every hop data takes between source and destination.
Integrity
Data cannot be tampered with in transit or at rest without detection. Hashing, digital signatures, and intrusion detection systems catch modifications before they cause damage.
Availability
Legitimate users can reach services when they need them. DDoS mitigation, redundant paths, and rate limiting ensure the network keeps working under attack or high load.
Accountability
Every action on the network is traceable to an identity, a device, and a timestamp. Logs, SIEM systems, and audit trails make it possible to reconstruct exactly what happened and when.
These four pillars — sometimes called the CIA triad with accountability added — are the lens every security decision gets measured against. When TechPulse's IT admin considers whether to allow the Marketing team's new analytics tool to connect directly to the production database, she is asking: does this preserve confidentiality, protect integrity, not hurt availability, and keep everything auditable? Spoiler: it does not, and it gets blocked.
What a Network Actually Looks Like
Before you can secure a network, you need a mental model of what one is. A network is any collection of devices that can exchange data with each other — from two laptops connected over Wi-Fi to the global infrastructure of a cloud provider serving requests from every continent simultaneously.
Every device on a network gets an IP address — a numerical label that works like a postal address. When your laptop requests a webpage, it sends packets (small chunks of data) from its IP address to the server's IP address. Routers along the path read those addresses and decide which direction to forward the packet, like postal workers sorting mail at each sorting office.
Why IP Addresses Matter for Security
Every firewall rule, every access control list, and every intrusion detection alert is anchored to IP addresses and port numbers. A port number identifies which service on a device should receive the traffic — port 443 is HTTPS web traffic, port 22 is SSH remote access, port 3306 is MySQL database connections. Knowing which ports should be open on which devices is one of the most fundamental acts of network security.
Networks are organized into segments — distinct zones where groups of devices live. The LAN (Local Area Network) is the private internal network inside an office or building. The WAN (Wide Area Network) connects geographically distant networks — typically the internet, or a private leased line between offices. The boundary between them is where most traditional security controls have historically lived, though modern architectures have moved those boundaries everywhere and nowhere at once.
The Threat Landscape in Plain Terms
The phrase "threat landscape" sounds like something consultants invented to justify slide decks — but it has a specific meaning. It refers to the complete picture of who might attack a given network, what they are likely after, and what methods they tend to use. The landscape shifts constantly because the tools, motivations, and targets change.
Threats come from four rough categories. Opportunistic attackers run automated scans against large IP ranges looking for known vulnerabilities — they are not targeting TechPulse specifically, they are targeting anyone running an unpatched version of a common server. Motivated adversaries are after something specific: customer PII, financial data, source code, or the ability to use TechPulse's infrastructure to attack someone else. Insider threats come from current or former employees who have legitimate access and either misuse it intentionally or fall for a social engineering attack. Nation-state actors are well-resourced and patient — they might maintain access to a network for months before doing anything detectable.
TechPulse is most exposed to opportunistic attackers and the occasional motivated adversary interested in customer data. But the engineering team is increasingly worried about supply chain risk — a compromised dependency in their build pipeline could be just as damaging as a direct attack on their servers.
The Core Categories of Network Defense
Network security is not one technology or one policy — it is a stack of controls that work together, each covering ground the others cannot. When one layer fails, the next is already in position.
Prevention Controls
Stop the bad thing from happening in the first place. Firewalls block unwanted traffic before it reaches a server. Encryption ensures intercepted data is unreadable. Access controls prevent unauthorized users from reaching sensitive systems entirely.
Examples: firewalls, ACLs, VPNs, MFA, network segmentation, patch management
Detection Controls
Assume prevention is imperfect — because it is — and catch what slips through. Intrusion detection systems watch traffic for suspicious patterns. Security information and event management (SIEM) platforms correlate logs from dozens of sources to surface anomalies.
Examples: IDS/IPS, SIEM, traffic analysis, anomaly detection, honeypots
The security industry spent most of the 1990s and 2000s obsessing over prevention — build a strong enough wall and nothing gets in. Then breaches at well-funded, well-staffed organizations demonstrated that the wall model alone does not hold. Detection and response became just as important. The modern standard is to assume breach: design as if an attacker is already somewhere inside the network, and ask whether the controls in place would catch them before they do serious damage.
TechPulse: The First Security Audit
TechPulse's new IT security lead, Meera, ran her first vulnerability scan on the HQ LAN in her second week. She found 34 devices with open management ports (Telnet, old SNMP versions) reachable from any workstation on the network. Two printers had default credentials that had never been changed. A network-attached storage device used by the Content team was broadcasting its full file index to every device on the subnet. None of this was malicious — it was the natural state of a network that had grown without a security owner. Fixing it took three weeks of evenings. Not finding it would have taken one afternoon for a determined attacker.
This pattern repeats everywhere. The gap between what an organization thinks its network looks like and what it actually looks like is almost always a security gap. Regular asset discovery and vulnerability scanning are not optional extras — they are how you find out what you are defending before someone else does.
Your Roadmap Through 40 Lessons
This module is structured to build understanding the way a security engineer actually builds it on the job: start with mental models, layer in the technical mechanisms, then develop the operational workflows.
Lessons 1–10 cover the foundational concepts: threat landscapes, the OSI and TCP/IP models as security frameworks, attack surface mapping, and the control categories that make up a mature defense. No code — just the mental models that make the technical details meaningful.
Lessons 11–20 shift to perimeter and architectural security: firewalls (how they work, their types, their limits), network segmentation, Zero Trust architecture, and system hardening. TechPulse starts locking things down in these lessons.
Lessons 21–28 are mechanism deep dives — each one takes a specific attack or protocol and dissects it: ARP spoofing, DNS poisoning, DHCP starvation, man-in-the-middle interception, and denial of service. You will understand exactly how each works, what it looks like in logs, and how to detect and block it.
Lessons 29–37 are operational: security monitoring, incident detection, VPNs, logging and auditing, cloud network security, and automation. This is where security stops being theoretical and becomes something you run every day.
Lessons 38–40 are projects. You will troubleshoot a broken TechPulse network, complete a full security checklist against their infrastructure, and design a secure network architecture from scratch with all the controls in the right places.
What You Will Be Able to Do After This Module
Read a network diagram and identify where the security controls are — and where the gaps are. Interpret real firewall logs, IDS alerts, and packet captures. Write firewall rules that actually do what they are supposed to. Design a segmented network that limits how far an attacker can move if they get in. Detect the network signatures of common attacks before they escalate. And explain to a non-technical stakeholder why a specific control matters in terms of business risk, not just technical exposure.
Where to Start
Wireshark — wireshark.org
A free packet capture and traffic analysis tool used by security engineers worldwide. You can install it on your own machine and watch real network traffic in real time. It is how you go from "I know packets exist" to "I can read what they contain."
TryHackMe — tryhackme.com
Guided, legal, browser-based security labs that let you practice attacks and defenses in isolated environments. The "Pre-Security" and "SOC Level 1" paths align directly with this module's content. No local setup required.
pfSense — pfsense.org
A free, open-source firewall and router platform you can run in a virtual machine. Building your own firewall in a lab environment — even a simple one with two network interfaces — teaches more about traffic filtering than ten hours of reading.
Shodan — shodan.io
A search engine for internet-connected devices. Type in a product name or a port number and see what is exposed globally. It is the fastest way to understand why attackers invest in reconnaissance — and why your exposed services need to be intentional, not accidental.
Set up one tool in a safe lab environment and complete one real exercise today. That single hour teaches more than reading ten overviews.
Quiz
1. TechPulse's IT admin Meera sets up a system that correlates logs from the firewall, DNS server, and endpoint agents to surface unusual patterns after they have already entered the network. Which category of security control is this?
2. TechPulse's firewall logs show thousands of port scan attempts per hour arriving from dozens of different IP ranges, probing common ports like 22, 80, 443, and 3306. None of the source IPs have appeared in any threat intelligence feeds targeting the tech sector. Which threat category best describes this activity?
3. TechPulse's Data team discovers that a batch job pulling reports from the co-location database has been returning slightly different totals than the source records — and a closer look reveals the packets were altered somewhere between the data center and the cloud environment. Which pillar of network security was violated?