Blog
Research
Blog White Papers Case Studies Offensive Security SOC GRC Advisory
Guides
Red Team Guide DevSecOps Guides Vulnerability Research
About Us
Blog
HADESS
Cyber Security Magic

HADESS

Cyber Security Knowledge Hub

Network Security Fundamentals: Complete Guide

hadess014 mins

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete skills and certifications series.

Network Security Fundamentals: Complete Guide

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 12 min read

Table of Contents

Why Network Security Still Matters

Network security fundamentals form the base layer of every cybersecurity specialization. Whether you work in cloud security, application security, incident response, or penetration testing, you interact with networks daily. Understanding how data moves across networks — and how attackers intercept, manipulate, and exploit that movement — is non-negotiable.

The argument that “the network is dead” because of cloud adoption misses the point. Cloud environments are networks. Containers communicate over networks. APIs transmit data over networks. Zero trust architectures still depend on network-level controls for enforcement. The network has changed shape, but it has not disappeared.

According to the SANS Institute, network security knowledge remains one of the top three skills requested in cybersecurity job postings. Our analysis in the top cybersecurity skills employers want confirms this finding — network security appears consistently across entry-level through senior positions.

The OSI Model Through a Security Lens

The OSI (Open Systems Interconnection) model is more than an academic exercise. Each layer presents distinct attack surfaces and requires specific defenses.

Layer 1 — Physical: Physical access to network infrastructure. Attacks: cable tapping, rogue devices, physical destruction. Defenses: physical access controls, cable management, port security.

Layer 2 — Data Link: MAC addresses, switches, VLANs. Attacks: MAC flooding, ARP spoofing/poisoning, VLAN hopping, STP manipulation. Defenses: port security, Dynamic ARP Inspection (DAI), DHCP snooping, 802.1X authentication.

Layer 3 — Network: IP addressing, routing. Attacks: IP spoofing, ICMP attacks, routing protocol manipulation (BGP hijacking). Defenses: ingress/egress filtering, routing protocol authentication, unicast reverse path forwarding (uRPF).

Layer 4 — Transport: TCP/UDP ports, session management. Attacks: SYN flooding, session hijacking, port scanning. Defenses: SYN cookies, stateful firewalls, rate limiting.

Layer 5-6 — Session/Presentation: Session tokens, encryption negotiation. Attacks: session fixation, SSL stripping, downgrade attacks. Defenses: HSTS, certificate pinning, TLS version enforcement.

Layer 7 — Application: HTTP, DNS, SMTP, and other application protocols. Attacks: SQL injection, XSS, DNS cache poisoning, SMTP spoofing. Defenses: WAFs, input validation, DNSSEC, SPF/DKIM/DMARC.

Security tools operate at specific layers. A network firewall works at Layers 3-4. A WAF works at Layer 7. An IDS may inspect traffic across multiple layers. Knowing which layer an attack targets tells you which controls can detect or prevent it.

TCP/IP Fundamentals for Security Practitioners

You need working knowledge of TCP/IP to perform any network security function. Here are the elements that matter most:

The TCP three-way handshake: SYN, SYN-ACK, ACK. Understanding this sequence explains SYN flood attacks, half-open scanning, and how stateful firewalls track connections.

TCP flags and their security implications:

  • SYN: Connection initiation (used in SYN scans and SYN floods)
  • FIN/RST: Connection termination (used in stealth scanning)
  • PSH: Push data immediately (used in some attack payloads)
  • URG: Urgent data flag (sometimes used to bypass simple IDS rules)

Port numbers: Know the common ports and their services. When you see traffic on port 4444 or 1337, recognize that these are commonly used by reverse shells and may indicate compromise. Standard services on non-standard ports (SSH on 2222, HTTP on 8080) are common in production but worth investigating when unexpected.

UDP considerations: UDP is connectionless, making it harder to track state and easier to spoof. DNS (port 53), SNMP (port 161), and NTP (port 123) are common UDP services targeted in amplification attacks.

ICMP: Used for diagnostics (ping, traceroute) but also for reconnaissance and covert channels. Many organizations filter ICMP at the perimeter, though this breaks legitimate diagnostic functionality.

IP addressing and subnetting: Understanding CIDR notation, subnet masks, and address ranges is required for firewall rule creation, network segmentation, and interpreting log data. If you cannot calculate whether 10.0.1.50 falls within the 10.0.1.0/28 subnet, you will struggle with daily security tasks.

Firewalls: Types, Deployment, and Configuration

Firewalls are the most fundamental network security control. Understanding their types and proper deployment is a baseline expectation.

Packet filtering firewalls: Examine individual packets based on source/destination IP, port, and protocol. Fast but limited — they cannot inspect packet payloads or track connection state. Example: basic iptables rules.

Stateful inspection firewalls: Track the state of network connections and make decisions based on connection context. A return packet is only allowed if it corresponds to an existing outbound connection. This prevents many spoofing attacks that defeat simple packet filters. Most modern firewalls are stateful.

Next-generation firewalls (NGFW): Combine stateful inspection with application awareness, integrated intrusion prevention, and threat intelligence feeds. They can identify applications regardless of port (detecting HTTP traffic on non-standard ports, for example) and apply policies based on application identity, user identity, and content.

Web application firewalls (WAF): Operate at Layer 7 and specifically protect web applications from HTTP-based attacks. They inspect request content for SQL injection, XSS, and other application-layer attacks. Deployed as reverse proxies in front of web servers.

Firewall deployment best practices:

  • Default deny: Block everything and allow only what is explicitly needed
  • Document every rule with a business justification and owner
  • Review rules quarterly and remove unused entries
  • Place management interfaces on a dedicated management network
  • Log all denied connections for analysis
  • Test rule changes in a staging environment before production deployment

Intrusion Detection and Prevention Systems

IDS and IPS monitor network traffic for malicious activity and policy violations.

Network IDS (NIDS): Passive monitoring. Captures and analyzes a copy of network traffic (usually via a SPAN/mirror port or network tap). Generates alerts but does not block traffic. Snort and Suricata are the most widely deployed open-source NIDS.

Network IPS (NIPS): Inline deployment. Traffic passes through the IPS, which can drop malicious packets in real-time. Higher risk than IDS because false positives result in blocked legitimate traffic.

Host-based IDS/IPS (HIDS/HIPS): Runs on individual endpoints. Monitors system calls, file integrity, and local network connections. OSSEC and Wazuh are common open-source options.

Detection methods:

Signature-based: Matches traffic against known attack patterns. Fast and accurate for known threats. Cannot detect novel attacks. Requires regular signature updates.

Anomaly-based: Establishes a baseline of normal behavior and alerts on deviations. Can detect unknown attacks. Produces more false positives. Requires a training period to learn what “normal” looks like.

Protocol analysis: Validates that traffic conforms to protocol specifications. Detects attacks that violate protocol standards (malformed packets, illegal flag combinations).

Tuning is everything: An out-of-the-box IDS produces overwhelming noise. Effective deployment requires disabling signatures irrelevant to your environment, adjusting thresholds, suppressing known false positives, and creating custom rules for your specific threats. A tuned IDS with 50 relevant rules outperforms an untuned one with 50,000.

Network Segmentation and Architecture

Segmentation divides a network into isolated zones, limiting an attacker’s ability to move laterally after gaining initial access.

Traditional segmentation: VLANs and subnets with firewall or router ACLs controlling traffic between zones. Typical segments include: DMZ (public-facing servers), internal production, development, management, and guest.

Micro-segmentation: Applies security policies between individual workloads, not just network segments. Implemented through software-defined networking (SDN) or host-based firewalls. Particularly relevant in virtualized and containerized environments where traditional VLANs cannot provide sufficient granularity.

Zero trust network architecture: Eliminates implicit trust based on network location. Every access request is verified regardless of source. Our zero trust security guide covers this model in detail.

Design principles:

  • Separate environments by function and sensitivity (production, development, staging)
  • Place all public-facing services in a DMZ
  • Isolate management traffic on a dedicated VLAN
  • Control east-west traffic (server-to-server), not just north-south (client-to-server)
  • Apply the principle of least privilege to network access
  • Document your network architecture and review it annually

Common segmentation mistakes:

  • Flat networks with no internal segmentation
  • Overly permissive rules between segments (“allow all” between internal VLANs)
  • Neglecting east-west traffic monitoring
  • Failing to segment development from production
  • Not restricting database servers to only the application servers that need access

VPNs and Secure Remote Access

VPNs encrypt traffic between endpoints, protecting data in transit across untrusted networks.

IPsec VPN: Operates at Layer 3. Site-to-site IPsec tunnels connect office networks. Remote access IPsec VPNs connect individual users. Strong encryption but can be complex to configure. Uses IKE (Internet Key Exchange) for key management.

SSL/TLS VPN: Operates at Layer 4-7. Easier to deploy than IPsec because it uses standard HTTPS ports (443), which pass through most firewalls. Client-based SSL VPNs provide full network access. Clientless SSL VPNs provide browser-based access to specific applications.

WireGuard: A newer VPN protocol that prioritizes simplicity and performance. Smaller codebase than IPsec or OpenVPN, which reduces attack surface. Uses modern cryptographic primitives. Gaining adoption for both site-to-site and remote access use cases.

Remote access security beyond VPN:

  • Always use multi-factor authentication for VPN access
  • Implement split tunneling thoughtfully (it reduces bandwidth but increases exposure)
  • Consider ZTNA (Zero Trust Network Access) solutions as VPN alternatives
  • Monitor VPN connection logs for anomalies (unusual hours, geographic impossibilities)
  • Enforce endpoint health checks before granting VPN access

DNS Security

DNS is a frequent attack target because it is fundamental to network operation and historically under-secured.

Common DNS attacks:

DNS cache poisoning: Injecting false DNS records into a resolver’s cache, redirecting users to malicious sites. DNSSEC provides cryptographic validation to prevent this.

DNS tunneling: Encoding data in DNS queries and responses to bypass firewalls. Used for data exfiltration and command-and-control communication. Detectable through query length analysis, entropy measurement, and volume-based monitoring.

DNS amplification/reflection: Sending DNS queries with a spoofed source IP to open resolvers, which send amplified responses to the target. Mitigated by configuring DNS servers to reject recursive queries from external sources.

Domain hijacking: Compromising domain registrar accounts to modify DNS records. Mitigated by registrar-level security (MFA, registrar lock).

DNS security controls:

  • Deploy DNSSEC to validate DNS responses
  • Use DNS filtering services to block known malicious domains
  • Monitor DNS query logs for tunneling indicators (high volume, long queries, unusual record types)
  • Restrict outbound DNS to authorized resolvers only
  • Consider DNS over HTTPS (DoH) or DNS over TLS (DoT) for endpoint privacy
  • Maintain a DNS sinkhole for internal threat detection

Wireless Network Security

Wireless networks extend the attack surface beyond physical boundaries. Signals propagate through walls, parking lots, and neighboring buildings.

Current wireless security standards:

WPA3: The current standard. Provides Simultaneous Authentication of Equals (SAE) for stronger password-based authentication. Mandatory for Wi-Fi 6 certified devices. Forward secrecy prevents previously captured traffic from being decrypted if the password is later compromised.

WPA2: Still widely deployed. Vulnerable to KRACK attacks (Key Reinstallation Attacks) and offline dictionary attacks against the four-way handshake. Use WPA2-Enterprise (802.1X authentication) rather than WPA2-Personal (pre-shared key) in business environments.

WPA/WEP: Deprecated and insecure. WEP can be cracked in minutes. If you find these in your environment, replacement is urgent.

Enterprise wireless security:

  • Use WPA3-Enterprise or WPA2-Enterprise with 802.1X and RADIUS authentication
  • Deploy a wireless intrusion prevention system (WIPS)
  • Segment wireless traffic from wired internal networks
  • Conduct periodic rogue access point detection
  • Disable SSID broadcast only if combined with other controls (it is trivially defeated alone)
  • Monitor for evil twin attacks (rogue APs mimicking legitimate network names)

Network Monitoring and Traffic Analysis

Visibility is the prerequisite for detection. You cannot defend what you cannot see.

Packet capture and analysis: Wireshark is the standard tool for deep packet analysis. Learn to filter by protocol, follow TCP streams, extract files from captures, and identify anomalous patterns. For continuous capture at scale, use tools like Zeek (formerly Bro) that generate structured logs from network traffic.

NetFlow and IPFIX: Metadata about network flows (source, destination, ports, bytes, duration) without full packet capture. Provides traffic visibility at scale. Useful for identifying scanning activity, data exfiltration, and communication with known malicious IPs.

Network traffic baselines: Establish what normal looks like for your environment. Document typical traffic volumes, common protocols, expected internal communication patterns, and standard external connections. Deviations from baseline warrant investigation.

What to monitor:

  • Connections to known malicious IPs and domains (threat intelligence feeds)
  • Unusually large data transfers, especially outbound
  • Traffic on non-standard ports (HTTP on port 8443, SSH on port 2222)
  • DNS query anomalies (high volume, long query names, unusual record types)
  • Internal lateral movement (workstation-to-workstation connections)
  • After-hours network activity

These monitoring activities often feed into SIEM platforms for centralized analysis and correlation.

Common Network Attacks and Defenses

ARP Spoofing: Attacker sends falsified ARP messages to link their MAC address with a legitimate IP, enabling man-in-the-middle positioning. Defense: Dynamic ARP Inspection (DAI) on managed switches.

SYN Flood: Overwhelming a target with TCP SYN packets without completing the handshake, exhausting connection state tables. Defense: SYN cookies, rate limiting, and upstream filtering.

Man-in-the-Middle (MITM): Intercepting communication between two parties. Can occur through ARP spoofing, DNS poisoning, or rogue Wi-Fi access points. Defense: Encryption (TLS), certificate validation, and network segmentation.

VLAN Hopping: Exploiting switch misconfigurations to access traffic on other VLANs. Methods include switch spoofing (pretending to be a trunk port) and double tagging. Defense: Disable DTP on access ports, set native VLAN to unused VLAN, explicitly configure trunk ports.

BGP Hijacking: Announcing unauthorized IP prefixes via BGP to redirect internet traffic. Defense: RPKI (Resource Public Key Infrastructure), ROA (Route Origin Authorization), and BGP monitoring services.

Network reconnaissance: Port scanning, service enumeration, and OS fingerprinting. These are not attacks themselves but precede nearly every attack. Defense: IDS/IPS detection rules, honeypots, and reducing the attack surface by disabling unnecessary services.

Building a Network Security Lab

Hands-on practice separates understanding from ability. Here is a practical lab setup:

Hardware: A single machine with 16GB+ RAM running VirtualBox or VMware Workstation. Alternatively, use cloud instances for distributed lab scenarios.

Lab topology:
1. pfSense/OPNsense VM: Acts as your firewall/router. Configure multiple interfaces for segmented networks.
2. Kali Linux VM: Your attack platform. Pre-installed with network scanning, exploitation, and analysis tools.
3. Ubuntu Server VM: Target server running web services, SSH, and other services.
4. Windows VM: Target endpoint for Active Directory, Windows networking exercises.
5. Security Onion or ELK VM: IDS/SIEM for monitoring lab traffic.

Lab exercises to complete:
1. Configure firewall rules on pfSense to segment networks and control traffic
2. Set up Suricata IDS and write custom detection rules
3. Perform a full network scan with Nmap and analyze the results
4. Capture traffic with Wireshark and follow a complete TCP conversation
5. Execute an ARP spoofing attack with Bettercap and observe the traffic
6. Configure a VPN tunnel between two pfSense instances
7. Set up network monitoring with Zeek and analyze the generated logs
8. Implement 802.1X port-based authentication

Each exercise builds skills that map directly to professional responsibilities. Document your work as you go — it becomes portfolio material.

Related Guides in This Series

Take the Next Step

Evaluate your network skills — Use our Skills Assessment to benchmark your network security knowledge against industry expectations.
Build a structured learning path — Visit the Career Coach to create a personalized plan for developing network security expertise.

Frequently Asked Questions

What networking certifications should I get for cybersecurity?

Start with CompTIA Network+ for foundational networking knowledge. Then pursue CompTIA Security+ for security-specific networking concepts. For deeper network security specialization, consider Cisco CCNA (which includes a security component) or CCNP Security. The CompTIA Security+ guide covers the certification path in detail.

Do I need to know subnetting for cybersecurity?

Yes. Subnetting appears in daily security work: writing firewall rules, analyzing log data, configuring network segmentation, and interpreting scan results. You need to calculate subnet ranges, identify broadcast addresses, and understand CIDR notation without hesitation. Practice until subnetting is automatic — it saves time in every technical task.

How do I practice network security without breaking anything?

Build an isolated virtual lab using VirtualBox or VMware. Create separate virtual networks that do not connect to your home or production network. Use intentionally vulnerable VMs (Metasploitable, DVWA, VulnHub machines) as targets. Cloud platforms like TryHackMe and Hack The Box provide browser-based labs where everything is sandboxed.

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News