← Back to domain
Domain 4 Module 4.1

Computer Networking

4.1 Computer Networking

← Course Index | 4.2 Network Threats & Attacks →

Why this module matters

Networking is the language of modern computing. Every security control, every cloud service, every login prompt, and every alert depends on how systems communicate. If you understand how traffic moves, what each layer does, and which protocols live where, you can reason about attacks and defenses much faster.

For the CC exam, this topic is high-value because it connects directly to ports, protocols, wireless security, subnetting, NAT, and the difference between safe and unsafe remote access. In practice, networking knowledge is what lets you spot the difference between a normal service and an exposed risk.

Learning goals

By the end of this lesson, you should be able to:

1. Explain all 7 OSI layers in detail. 2. Map the TCP/IP model to OSI. 3. Compare TCP and UDP. 4. Explain IPv4, private ranges, subnetting, and NAT. 5. Explain why IPv6 exists. 6. Compare Wi-Fi security standards from WEP to WPA3. 7. Memorize the exam-relevant ports and port ranges.

---

The OSI Model

The Open Systems Interconnection (OSI) model is a conceptual framework for understanding how data moves across a network. It breaks communication into seven layers. The model is not a protocol itself; it is a teaching and troubleshooting tool.

Think of it like shipping a package:

  • You write the message.
  • You put it in an envelope.
  • You label it for the correct destination.
  • A carrier moves it.
  • The receiving office opens it and hands it to the right person.

Each OSI layer performs one part of that process.

OSI mnemonic

Top-down mnemonic: All People Seem To Need Data Processing.

Bottom-up mnemonic: Please Do Not Throw Sausage Pizza Away.

> Exam tip: Memorize both the layer number and what kind of addressing or data unit belongs there. Most exam questions are really asking you to identify the layer from a clue.

OSI layer table

| Layer | Name | PDU | Primary function | Example protocols | Example devices | Security relevance | |---|---|---:|---|---|---|---| | 7 | Application | Data | User-facing network services | HTTP, HTTPS, SMTP, DNS, FTP, SSH, SNMP, LDAP | Proxy, gateway, WAF | Phishing, web attacks, insecure app design, exposed services | | 6 | Presentation | Data | Format translation, encryption, compression | TLS/SSL, ASCII, JPEG, MPEG | Gateway | Encryption, data encoding, certificate use, data obfuscation | | 5 | Session | Data | Establish, manage, and terminate sessions | NetBIOS, RPC, SIP, PPTP session control | Gateway | Session hijacking, logout control, session timeout | | 4 | Transport | Segments | End-to-end delivery, reliability, ports | TCP, UDP | L4 firewall, load balancer | Port control, stateful inspection, service exposure | | 3 | Network | Packets | Logical addressing and routing | IP, ICMP, IPSec | Router, Layer 3 switch | Routing security, subnet isolation, packet filtering | | 2 | Data Link | Frames | MAC addressing and local delivery | Ethernet, ARP, PPP, 802.11 | Switch, bridge, NIC | ARP spoofing, VLAN hopping, MAC filtering | | 1 | Physical | Bits | Electrical, optical, radio signaling | Cabling standards, fiber, radio | Hub, repeater, cables, access point radio | Cable tapping, jamming, RF interception, physical theft |

Layer 1: Physical

Layer 1 moves raw bits across a medium. It defines voltages, light pulses, radio waves, connectors, pinouts, frequencies, and signaling. This is the layer of cables, transceivers, and wireless radios.

Security relevance:

  • Attackers can unplug cables, tap lines, jam wireless signals, or damage hardware.
  • Physical access to wiring closets and network rooms is a major risk.
  • Signal interference can degrade service or create denial-of-service conditions.

Real-world example:

If a server loses connectivity because a fiber patch cable was cut, that is a Layer 1 problem. If the radio spectrum is jammed so clients cannot connect to Wi-Fi, that is also Layer 1.

Layer 2: Data Link

Layer 2 moves frames on the local network. It uses MAC addresses for local delivery and is responsible for switching, framing, and local error detection.

Security relevance:

  • ARP spoofing/poisoning happens here.
  • VLANs are a Layer 2 segmentation tool.
  • MAC flooding can overwhelm a switch's CAM table.
  • Open Wi-Fi and weak wireless authentication expose Layer 2 traffic.

Real-world example:

If a malicious device pretends to be the gateway by sending fake ARP replies, it can redirect traffic on the local subnet. That is a classic Layer 2 man-in-the-middle attack.

Layer 3: Network

Layer 3 routes packets between networks. It uses IP addresses and routers to decide where traffic goes.

Security relevance:

  • IP addressing defines which host is local and which is remote.
  • Routers can enforce access control lists.
  • Network segmentation is often designed with Layer 3 boundaries.
  • IPSec operates at this layer and protects IP traffic.

Real-world example:

If traffic cannot reach another subnet because of routing or a blocked ACL, the issue is often Layer 3.

Layer 4: Transport

Layer 4 provides end-to-end communication using ports. This is where TCP and UDP live. The transport layer decides whether a conversation is reliable, ordered, and acknowledged.

Security relevance:

  • Firewalls often make decisions based on source and destination ports.
  • SYN floods target TCP handshakes.
  • Port scanning is mostly a Layer 4 reconnaissance activity.
  • Stateful firewalls track session state here.

Real-world example:

If a web server listens on 443 but the firewall blocks that port, the browser cannot connect even if the server is healthy.

Layer 5: Session

Layer 5 creates, manages, and ends communication sessions. It keeps conversations organized.

Security relevance:

  • Session hijacking attacks target active sessions.
  • Strong session timeout settings reduce exposure.
  • Single sign-on and application session management are closely related to this layer.

Real-world example:

If a user stays logged into a sensitive application too long, an attacker who gains access to the workstation may reuse that session.

Layer 6: Presentation

Layer 6 handles data formatting, compression, and encryption. It translates data into a usable form.

Security relevance:

  • TLS/SSL encryption protects confidentiality and integrity.
  • Encoding and certificate handling matter here.
  • Data compression can improve performance but may also create side-channel concerns in some contexts.

Real-world example:

When a browser shows a padlock icon for HTTPS, the presentation layer is handling encrypted transport data for the application.

Layer 7: Application

Layer 7 is where user-facing network services operate. This is the layer most people interact with directly.

Security relevance:

  • Web apps face injection, authentication bypass, and session attacks.
  • Email protocols are often abused for phishing and malware delivery.
  • DNS can be poisoned or abused for tunneling.
  • Remote management services like SSH, RDP, and SNMP can become attack surfaces if exposed.

Real-world example:

If a user receives a phishing email with a fake login page, the attack is targeting the application layer because it abuses a user-facing service.

OSI quick memory table

| Layer | Key clue | |---|---| | 7 | App protocol, browser, email, DNS | | 6 | Encryption, format, encoding | | 5 | Session state, login persistence | | 4 | TCP/UDP, ports, firewall rules | | 3 | IP addresses, routers, subnets | | 2 | MAC addresses, switches, ARP | | 1 | Cables, radio, signals |

> Exam tip: If the question says “ports,” think Layer 4. If it says “MAC address,” think Layer 2. If it says “IP address,” think Layer 3.

---

TCP/IP Model

The TCP/IP model is the practical stack used by the Internet. It has four layers, and it maps to the OSI model.

TCP/IP to OSI mapping

| TCP/IP Layer | OSI Layers | Function | |---|---|---| | Application | 5, 6, 7 | User services and application protocols | | Transport | 4 | End-to-end delivery, ports, reliability | | Internet | 3 | Logical addressing and routing | | Network Access | 1, 2 | Physical transmission and local delivery |

Why both models matter

The OSI model is better for learning and troubleshooting because it separates concerns into seven layers. TCP/IP is better for real-world protocol discussions because it matches the Internet stack more closely.

Analogy:

  • OSI is like a detailed map with every neighborhood labeled.
  • TCP/IP is like the actual route app that tells you how to get there.

---

TCP vs UDP

TCP and UDP are the main Layer 4 transport protocols.

TCP

TCP, Transmission Control Protocol, is connection-oriented and reliable. It confirms delivery, orders packets, retransmits lost data, and controls flow.

The TCP three-way handshake:

1. Client sends SYN. 2. Server replies SYN-ACK. 3. Client sends ACK.

That handshake establishes a session before data transfer.

Why TCP is used:

  • Web browsing over HTTPS
  • Email transfer
  • File transfers
  • Database connections
  • Remote administration where integrity matters

UDP

UDP, User Datagram Protocol, is connectionless and lightweight. It sends datagrams without setting up a formal session.

Why UDP is used:

  • DNS queries
  • VoIP and live audio/video
  • Streaming
  • Online gaming
  • Broadcast and multicast scenarios

TCP vs UDP comparison

| Feature | TCP | UDP | |---|---|---| | Connection | Connection-oriented | Connectionless | | Handshake | Three-way handshake | None | | Reliability | Reliable, acknowledgments, retransmissions | Best effort | | Ordering | In-order delivery | No ordering guarantee | | Speed | Slower due to overhead | Faster and lighter | | Use when | Accuracy matters | Speed and low latency matter | | Common examples | HTTPS, SSH, SMTP | DNS, VoIP, streaming |

When to choose TCP or UDP

Use TCP when the application must not lose or reorder data. For example, downloading a file or logging into a server needs accuracy.

Use UDP when speed matters more than perfect delivery. For example, a live video call can tolerate a missed packet better than a delayed packet.

> Exam tip: If the question says “fast, lightweight, no handshake,” the answer is usually UDP. If it says “reliable, connection-oriented,” the answer is TCP.

---

IPv4

IPv4 is the fourth version of the Internet Protocol and uses 32-bit addresses.

An IPv4 address is usually written in dotted decimal notation, such as 192.168.1.10.

IPv4 basics

  • 32-bit address space
  • About 4.3 billion possible addresses
  • Designed long before today’s massive Internet scale

The main problem with IPv4 is address exhaustion. There are not enough public addresses for every device on Earth, so private addressing and NAT became common.

Private IPv4 ranges

Private addresses are not routed on the public Internet. They are used inside organizations and homes.

| Private range | CIDR | Typical use | |---|---|---| | 10.0.0.0 - 10.255.255.255 | 10.0.0.0/8 | Large enterprises, cloud networks | | 172.16.0.0 - 172.31.255.255 | 172.16.0.0/12 | Medium networks | | 192.168.0.0 - 192.168.255.255 | 192.168.0.0/16 | Home and small office networks |

Subnetting concept

Subnetting is the practice of dividing one larger network into smaller logical networks.

Why subnet?

  • Reduce broadcast traffic
  • Improve security boundaries
  • Organize departments or services
  • Limit the scope of problems

Simple example:

An organization may split a single address block into separate subnets for users, servers, printers, and guests. That way, guest Wi-Fi cannot directly reach internal servers.

Analogy:

Think of subnetting like dividing a large office building into separate departments with locked doors between them.

NAT

Network Address Translation (NAT) lets many private devices share one public IP address.

How it works:

  • Your laptop uses a private address like 192.168.1.25.
  • The router translates it to a public address when traffic goes out.
  • Return traffic is mapped back to the correct internal device.

Why NAT matters:

  • Conserves public IPv4 addresses
  • Hides internal addressing from the Internet
  • Adds a basic layer of obscurity, though it is not a substitute for security controls

Common NAT forms:

  • Static NAT: one private address maps to one public address
  • Dynamic NAT: private address maps from a pool of public addresses
  • PAT/NAT overload: many private addresses share one public IP using different ports

> Exam tip: NAT helps with address conservation, but it is not the same thing as a firewall.

---

IPv6

IPv6 is the next-generation Internet Protocol. It uses 128-bit addresses and solves the IPv4 exhaustion problem.

IPv6 addresses are written in hexadecimal, for example 2001:db8::1.

Why IPv6 exists

IPv4 ran out of usable public space. IPv6 provides a vastly larger address pool, enough for the future growth of Internet-connected devices.

IPv6 advantages

  • Huge address space
  • Easier end-to-end connectivity at scale
  • Better support for modern networks
  • Less dependence on NAT in many designs

IPv4 vs IPv6 comparison

| Feature | IPv4 | IPv6 | |---|---|---| | Address size | 32-bit | 128-bit | | Notation | Dotted decimal | Hexadecimal with colons | | Address space | ~4.3 billion | Vastly larger | | Problem solved | Legacy Internet routing | IPv4 exhaustion | | NAT reliance | Common | Less necessary |

> Exam tip: If the question asks how to solve IPv4 exhaustion, the answer is IPv6.

---

Wi-Fi Security

Wi-Fi refers to 802.11 wireless networking standards. Because wireless traffic travels through the air, it is easier to intercept than wired traffic. That makes strong authentication and encryption essential.

Wi-Fi security evolution

| Standard | Status | Notes | |---|---|---| | WEP | Broken | Weak encryption, easily cracked, never use | | WPA | Improved | Transitional fix, better than WEP but outdated | | WPA2 | Strong and common | Current minimum for many environments | | WPA3 | Best current standard | Stronger protections and better resistance to password cracking |

Wireless concepts

  • SSID: the network name broadcast by the access point
  • Access point (AP): the device that connects wireless clients to the network
  • Channel: the radio frequency used for communication
  • Rogue AP: an unauthorized access point

Wi-Fi security risks

  • Eavesdropping on unsecured wireless traffic
  • Rogue access points
  • Evil twin attacks
  • Weak passwords on WPA2 networks
  • Legacy WEP networks that can be cracked quickly

Real-world example:

If a café runs open Wi-Fi with no encryption, anyone nearby can potentially sniff traffic. If the same café uses WPA3 with strong authentication, casual interception becomes far harder.

> Exam tip: WEP is broken. If it appears as an answer choice, it is usually wrong unless the question is asking what not to use.

---

Exam-Relevant Ports

Port numbers help identify network services. Some services use one port; others use two. In exam questions, you usually identify the service from the port or the port from the service.

Core port table

| Port | Service | Purpose | Notes | |---:|---|---|---| | 20 | FTP data | File transfer data channel | Paired with 21 | | 21 | FTP control | FTP commands | Unencrypted by default | | 22 | SSH | Secure remote administration | Encrypted shell | | 23 | Telnet | Remote administration | Insecure, plaintext | | 25 | SMTP | Send email | Mail transfer between servers | | 53 | DNS | Name resolution | Uses TCP and UDP | | 67 | DHCP server | Assigns IP addresses | Server side | | 68 | DHCP client | Receives IP addresses | Client side | | 80 | HTTP | Unencrypted web | Plain text web traffic | | 110 | POP3 | Email retrieval | Often replaces older mailbox access | | 143 | IMAP | Email synchronization | Keeps mail on server | | 161 | SNMP | Management queries | Monitoring and polling | | 162 | SNMP trap | Alerts from devices | Trap/notification port | | 389 | LDAP | Directory services | Often paired with Active Directory use cases | | 443 | HTTPS | Encrypted web | HTTP over TLS | | 636 | LDAPS | LDAP over TLS | Secure directory access | | 3389 | RDP | Remote Desktop | Common Windows remote admin port |

Port range table

| Range | Name | Meaning | |---|---|---| | 0-1023 | Well-known ports | Common system services | | 1024-49151 | Registered ports | Vendor/app-assigned services | | 49152-65535 | Dynamic/Ephemeral ports | Temporary client-side ports |

Protocol notes

  • DNS uses both TCP and UDP. UDP is common for normal queries; TCP is used for large responses and zone transfers.
  • FTP uses separate control and data channels, which is why it is more complex and less secure than modern alternatives.
  • Telnet sends data in plaintext. SSH is the secure replacement.
  • HTTPS is HTTP protected by TLS.

Fast memorization chart

| Service | Port | Memory hook | |---|---:|---| | SSH | 22 | Secure shell | | Telnet | 23 | Insecure old remote access | | SMTP | 25 | Send mail | | DNS | 53 | Domain name system | | HTTP | 80 | Web without encryption | | HTTPS | 443 | Secure web | | RDP | 3389 | Windows remote desktop |

> Exam tip: If a question asks for secure remote terminal access, choose SSH on port 22, not Telnet on 23.

---

Real-World Scenarios

Scenario 1: Small business Wi-Fi

A small office uses one Internet connection for 20 devices. The router gives each device a private IPv4 address and translates outbound traffic using NAT. This conserves public IP addresses and hides internal hosts from direct Internet exposure.

Scenario 2: Secure remote administration

An administrator needs to manage a Linux server remotely. SSH on port 22 is the correct choice because it encrypts the session. Telnet would expose credentials in plaintext and should not be used.

Scenario 3: Conference VoIP

A voice calling application should generally use UDP because low latency matters more than perfect packet delivery. A few lost packets are less harmful than a delayed conversation.

Scenario 4: Office segmentation

A company splits finance systems, guest Wi-Fi, and internal servers into separate subnets. This reduces lateral movement and limits the blast radius of a compromised device.

---

Exam Tips

  • If the question mentions ports, think Layer 4.
  • If the question mentions IP, subnet, or router, think Layer 3.
  • If the question mentions MAC, switch, or ARP, think Layer 2.
  • If the question mentions browser, email, DNS, or HTTPS, think Layer 7.
  • WEP is broken.
  • IPv6 solves IPv4 exhaustion.
  • TCP is reliable; UDP is faster and lighter.
  • SSH is secure; Telnet is not.
  • DNS commonly uses UDP but can use TCP.

---

Practice Questions

1. Which OSI layer is responsible for routing packets between networks? 2. What protocol uses a three-way handshake? 3. Which IPv4 range is private and commonly used in home networks? 4. What is the primary reason IPv6 was created? 5. Which Wi-Fi standard is broken and should not be used? 6. What port is used by SSH? 7. Which OSI layer uses MAC addresses? 8. What does NAT help conserve? 9. Which protocol is best for live video because it avoids handshake overhead? 10. What port is used by HTTPS?

Answers

1. ✅ Layer 3, Network 2. ✅ TCP 3. ✅ 192.168.0.0/16 4. ✅ IPv4 address exhaustion 5. ✅ WEP 6. ✅ 22 7. ✅ Layer 2, Data Link 8. ✅ Public IPv4 addresses 9. ✅ UDP 10. ✅ 443

Next: 4.2 →