DEV Community

Cover image for Networking for Cybersecurity (Part 1): OSI, TCP/IP, Ports & Protocols
Elvin Seyidov
Elvin Seyidov

Posted on

Networking for Cybersecurity (Part 1): OSI, TCP/IP, Ports & Protocols

#cybersecurity #network #osi #tcp

1. Introduction to Networking for Cybersecurity

Before you can understand attacks, defenses, tools, encryption, or even how the internet works, you must understand networking. Every cybersecurity skill - packet analysis, scanning, exploitation, incident response, forensics, malware analysis, SOC monitoring - depends on knowing how computers communicate.

Most beginners jump straight into tools like Nmap or Wireshark without truly understanding what is happening under the hood. But in reality, cybersecurity is built on networking, and without this foundation, many concepts will feel confusing later.

In this part, we start from the very beginning:

  • how communication is structured (OSI Model)
  • how the real internet works (TCP/IP Model)
  • how data flows across layers
  • what ports, protocols, and services actually mean
  • how tools identify systems and vulnerabilities

Understanding these basics will help you make sense of real-world attacks such as:

  • MITM (Layer 2)
  • DNS spoofing (Layer 7)
  • SYN flood DDoS (Layer 4)
  • Port scans and fingerprinting
  • VPN and firewall behavior

2. The OSI Model: The 7 Layers Explained Clearly

While learning networking for cybersecurity, I realized the OSI model is the easiest way to understand how data travels. It is not used exactly like this in real networks, but it is still the best mental map for seeing where attacks happen and where defenses work.

The OSI model has 7 layers. Each layer does a specific job and passes data to the layer above or below it. Understanding these layers helps make sense of packets, protocols, and security tools.

Layer 1: Physical

This is the actual hardware and electrical signals.
Examples: cables, Wi-Fi radio waves, switches.
If something is wrong here, nothing else works.

Layer 2: Data Link

Responsible for MAC addresses and local network communication.
Examples: ARP, Ethernet frames.
A lot of attacks happen here because it is close to the hardware.

Layer 3: Network

Moves data between networks using IP addresses.
Examples: IPv4, IPv6, routing.
Most routing logic and many attacks (like IP spoofing) live here.

Layer 4: Transport

Provides connection and reliability between systems.
Examples: TCP, UDP.
Important for ports, scanning, sessions, and traffic analysis.

Layer 5: Session

Controls opening and closing communication sessions.
Not very visible in day-to-day work, but good to know.

Layer 6: Presentation

Handles formatting, encryption, compression.
Examples: TLS lives here conceptually.

Layer 7: Application

The layer we see as users.
Examples: HTTP, DNS, SMTP, FTP.
Most high-level attacks happen here.

I used to think OSI was just theory, but once I saw how different attacks map to layers, it finally made sense. When we get to scanning, sniffing, routing, VPNs, and traffic analysis later, the OSI model makes everything easier to understand. OSI is theory → used for learning, explaining, analyzing network issues.

3. The TCP/IP Model: The Real-World Version of OSI

After understanding the OSI model, I learned that real networks do not actually use all seven layers. The real internet uses the TCP/IP model, which is simpler and more practical. It is the model that routers, operating systems, firewalls, and most tools actually follow.

Instead of seven layers, the TCP/IP model has four. Each one groups several OSI layers together. This makes it easier to understand how the internet works in real life.

Layer 1: Link Layer

Covers OSI Layer 1 and 2.
Handles MAC addresses, Ethernet frames, Wi-Fi, ARP, switches.
Anything that deals with local network communication belongs here.

Layer 2: Internet Layer

Matches OSI Layer 3.
Handles IP addresses and routing between networks.
Examples: IPv4, IPv6, ICMP, routing decisions.

Layer 3: Transport Layer

Matches OSI Layer 4.
Responsible for ports, TCP, UDP, sessions, reliability.
Important for understanding scanning, traffic analysis, and attacks.

Layer 4: Application Layer

Combines OSI Layers 5, 6, and 7.
Everything the user interacts with is here.
Examples: HTTP, HTTPS, DNS, SMTP, FTP, SSH.

When I looked at OSI at first, it felt too academic. The TCP/IP model helped everything click, because it is what Linux, Windows, routers, firewalls, and tools like Wireshark actually use. Whenever I analyze packets or map traffic, this is the model I keep in mind. TCP/IP is implementation → used by real protocols and devices (TCP, IP, HTTP, DNS, etc.)

4. How Data Moves Across Layers

When a computer sends data (a message, HTTP request, file, anything), the data travels through layers. Each layer adds its own wrapper, like putting a gift into multiple boxes.

This wrapping process is called Encapsulation. When the data arrives and layers unwrap it, that’s Decapsulation.

4.1 Encapsulation: How Data Leaves Your Computer
When you send something (example: open a website), this is what happens:

(Application Layer – your app data)

  • You type URL → browser creates HTTP request
  • This is the raw data your app wants to send
  • No technical wrapper yet

(Transport Layer – makes sure data arrives)

  • TCP or UDP adds:

    • source port (your app number)
    • destination port (which service on the server)
    • sequence numbers (if TCP)

  • Now your data becomes a Segment (TCP) or Datagram (UDP)

(Network Layer– finds the destination computer)

  • IP adds:
    • source IP
    • destination IP
  • Now it becomes a Packet

(Data Link Layer – prepares it for the physical network)

  • Ethernet/Wi-Fi adds:
    • source MAC
    • destination MAC
  • Now it becomes a Frame

(Physical Layer – sends electrical/light/radio signals)

  • Converts the frame into bits (0s and 1s)

  • Sends signals over cable, Wi-Fi, fiber, etc.

  • Each layer adds its own header.

  • Top-to-bottom = wrapping.

4.2 Decapsulation: How Data Arrives at the Other End

On the receiving device, the reverse happens:

  1. Physical Layer → receives bits
  2. Data Link Layer → removes MAC header
  3. Network Layer → removes IP header
  4. Transport Layer → removes TCP/UDP header
  5. Application Layer → your browser finally sees the HTTP response

Bottom-to-top = unwrapping.

4.3 Why Encapsulation Matters in Cybersecurity
This is where the real magic happens for security people.

Every attack lives on a specific layer

  • ARP spoofing → Layer 2
  • IP spoofing → Layer 3
  • SYN flood → Layer 4
  • SQL injection → Layer 7

You can't understand attacks if you don’t understand where the data gets wrapped/unwrapped.

Firewalls use this structure

  • Packet filters (L3) check IP addresses
  • Stateful firewalls (L4) check TCP/UDP behavior
  • WAF (L7) checks HTTP content

Attackers abuse headers

  • Fake MAC
  • Fake IP
  • Fake ports
  • Malformed packets

Everything an attacker does is related to manipulating these layers.

5. Ports and Services: How Systems Communicate

When devices talk to each other, they don’t just send data randomly.
They need to know which program the data belongs to.

A port is basically a door number inside a computer.

  • IP address = the house
  • Port = the room inside that house
  • Protocol (TCP/UDP) = how you knock on the door

This is how systems understand which service should receive incoming data.

5.1. What a Port Really Is

Every app or service listens on a specific port.

Examples:

  • 80 → HTTP
  • 443 → HTTPS
  • 22 → SSH
  • 53 → DNS

So if you type a website URL:

  • Your computer talks to the server’s IP:443
  • The server knows “Oh, port 443? That’s my HTTPS service.”

Ports are just numbers from 0–65535.

5.2. Two Types of Ports: Well-Known & Dynamic

(1) Well-Known Ports (0–1023)

Used by important system services.

Examples:

  • 80 (HTTP)
  • 443 (HTTPS)
  • 22 (SSH)
  • 25 (SMTP)
  • 53 (DNS)

These are the ones cybersecurity people always memorize.

(2) Registered Ports (1024–49151)

Used by applications.

Examples:

  • 3306 (MySQL)
  • 5432 (PostgreSQL)
  • 27017 (MongoDB)

(3) Dynamic Ports (49152–65535)

Used temporarily by your system for outgoing connections.

When your browser connects to google.com:443, it uses something like:

Client: 192.168.1.10:55921  →  Server: 142.250.185.100:443
Enter fullscreen mode Exit fullscreen mode

Your side uses a random high port, server uses fixed service port.

Here’s how I personally remember ports:

  • 80/443 → Web
  • 22 → SSH (remote command access)
  • 53 → DNS (internet phonebook)
  • 25/587/465 → Email
  • 3306/5432 → Databases
  • 445 → SMB (Windows file sharing, dangerous)

6. Common Protocols Every Security Learner Must Know

This is one of the most important parts for cybersecurity. If you know protocol + port + purpose + risk, you can understand 80% of real-world attacks.

  • (Web) HTTP – Port 80

Normal web traffic, not encrypted, easy to intercept.

  • (Web) HTTPS – Port 443

Encrypted using TLS, secure version of HTTP.

  • (Web) DNS – Port 53 (UDP/TCP)

Domain → IP resolver. Target of poisoning, hijacking, tunneling.

  • (Remote Access) SSH – Port 22

Secure remote shell. Heavy brute-force target.

  • (Remote Access) RDP – Port 3389

Windows remote desktop. Major ransomware entry point.

  • (Remote Access) Telnet – Port 23

Old remote access, not encrypted, insecure.

  • (Network Infrastructure) ARP – No port (Layer 2)

IP → MAC mapping. Can be spoofed → MITM attacks.

  • (Network Infrastructure) ICMP – No port

Ping, traceroute. Used for discovery and ICMP floods.

  • (Network Infrastructure) DHCP – Ports 67/68

Gives IP addresses automatically. Rogue DHCP attacks possible.

  • (File Transfer & Services) FTP – Port 21

File transfer. No encryption, insecure by default.

  • (File Transfer & Services) SFTP – Port 22

Secure file transfer over SSH. Encrypted.

  • (File Transfer & Services) SMB – Port 445

Windows file sharing. Exploited by ransomware (WannaCry).

  • (File Transfer & Services) SMTP – Port 25

Sending emails.

  • (File Transfer & Services) IMAP – Port 143

Reading emails from server.

  • (File Transfer & Services) POP3 – Port 110

Downloading emails.

  • (File Transfer & Services) NTP – Port 123

Time synchronization across devices. Used in DDoS amplification.

Which Protocol Matters Most in Cybersecurity?

  • HTTPS / TLS — encryption, certificates, MITM protection
  • DNS — poisoning, tunneling, hijacking
  • SSH — brute force, key management
  • SMB — network worms, ransomware
  • ARP — LAN attacks, spoofing, MITM

My Personal Quick Notes (Easy Memory)

  • HTTP / HTTPS → Web
  • DNS → Phonebook
  • SSH → Secure remote access
  • RDP → Windows remote desktop
  • SMB → Windows file sharing, risky
  • FTP → Old, unencrypted, avoid
  • ARP → LAN mapping
  • DHCP → Gives IP addresses
  • ICMP → Ping

Protocols are just rules for communication.
For cybersecurity, each protocol means a new attack surface.

7. TCP vs UDP: Security and Behavior Differences

TCP and UDP are the two main transport protocols. They decide how data is delivered between devices.
I think of them like two different delivery styles:

  • TCP → a careful delivery guy
  • UDP → a fast delivery guy Both are useful, but in cybersecurity they behave very differently.

TCP in Simple Words (Reliable)
TCP checks everything. It cares about correctness.
Key Features

  • Connection-based
  • 3-way handshake (SYN → SYN-ACK → ACK)
  • Guarantees delivery
  • Retransmits lost packets
  • Maintains order
  • Used for important data

Used by

  • HTTPS
  • HTTP/1.1
  • SSH
  • FTP
  • Email (SMTP, IMAP, POP3)

Security Perspective

  • Can be targeted by:
    • SYN Flood (DDoS)
    • RST injection
    • Session hijacking
  • State-based, so firewalls track TCP connections
  • Harder to spoof because of sequence numbers

UDP in Simple Words (Fast)
UDP = fast but unreliable. UDP does not care. It just throws the data and runs.
Key Features

  • No handshake
  • No connection
  • No guarantee of delivery
  • No retransmission
  • Lightweight, minimal overhead

Used by

  • DNS
  • Video streaming
  • Online gaming
  • VoIP (calls)
  • DHCP

Security Perspective

  • Easy to spoof (no connection state)
  • Used in many DDoS attacks:
    • DNS amplification
    • NTP amplification
  • Hard for firewalls to track (stateless)
  • No guarantee → attackers can send huge volumes cheaply

8. How Firewalls and Tools Use Ports & Protocols

Firewalls are one of the most important security tools. They use IP addresses, ports, and protocols to decide:

Allow this traffic? Block it? Inspect it? Log it?

Firewalls Think in Layers

Firewalls don’t see the whole OSI model deeply — they focus on specific parts:

  • Layer 3 → IP addresses
  • Layer 4 → Ports + TCP/UDP
  • Layer 7 → Application protocols (HTTP, DNS, etc.)

So their logic is basically:

  • Who is talking (IP)?
  • Through which door (port)?
  • Using what method (TCP/UDP/protocol)?

1. Basic Firewall Rules (L3/L4)

Firewalls filter traffic using:

IP Rules

  • Allow/Block specific IPs
  • Allow subnets (e.g., 192.168.1.0/24)

Port Rules

  • Allow 80/443 (web)
  • Allow 22 only for admins
  • Block 23 (Telnet), 445 (SMB), etc.

Protocol Rules

  • Allow TCP
  • Block UDP
  • Allow only certain ICMP types

Classic filtering = IP + Port + Protocol

2. Stateful Firewalls (Most Common)

Stateful = firewall remembers active connections.

  • Tracks TCP handshake & status
  • Tracks UDP “pseudo-sessions”
  • Automatically allows return traffic for legitimate sessions
  • Makes spoofing harder

If you initiate a request, response traffic is allowed.

3. Next-Generation Firewalls (L7)

NGFW look into the application layer, not just ports.

They can inspect:

  • HTTP
  • DNS
  • TLS certificates
  • API calls
  • Malware patterns

Examples:

  • Port 443 but not real HTTPS → suspicious
  • Detect DNS tunneling
  • Block apps like TikTok/WhatsApp

They inspect the actual content, not just the port number.

4. Tools That Work With Ports & Protocols
Nmap

  • Port scanning
  • Service/version detection
  • OS fingerprinting
  • Used by pentesters & attackers

Wireshark

  • Packet capture/analysis
  • Shows protocols, headers, payloads
  • Great for learning & debugging

iptables/ufw/Windows Firewall

  • Create rules for ports, IPs, protocols

IDS/IPS (Snort, Suricata)

  • Deep inspection
  • Detect/block suspicious behavior

9. Why Understanding OSI & TCP/IP Matters in Cybersecurity

Attackers don’t “hack the internet.” They exploit specific layers.
Knowing OSI and TCP/IP makes cybersecurity much easier because every attack, tool, and protocol sits on a specific layer. ARP spoofing is Layer 2, IP spoofing is Layer 3, SYN floods are Layer 4, and web attacks like SQL injection are Layer 7. Firewalls, VPNs, WAFs, and IDS/IPS also work at different layers, so understanding the models helps you see where protection happens and where vulnerabilities live. When you analyze traffic in Wireshark or troubleshoot network issues, these layers give you a mental map to understand what’s happening. In short: OSI/TCP-IP help you locate attacks, understand protocols, and communicate clearly in security work.

10. Summary and What Comes Next (Part 2 Preview)

In this first part, we built the foundation every cybersecurity learner needs: how the OSI **and **TCP/IP models work, how data moves through layers, and how ports and protocols define communication between systems. These concepts will come up again and again in security, whether you're analyzing traffic, detecting attacks, or understanding how tools interact with networks.

In Part 2, we go deeper into DNS, routing, and how the internet actually moves your packets around. You'll learn how domain names resolve, how routers decide where traffic goes, why DNS is frequently attacked, and how routing weaknesses can be exploited. Understanding these systems is essential before moving on to VPNs, proxies, firewalls, sniffing, and scanning.

Next: Networking for Cybersecurity (Part 2): DNS, Routing & How the Internet Works

Top comments (0)