Foundations · Module 4

Networks, transport, and what leaks

Networks move data in pieces, not in one blob.

1.2h 4 outcomes Cybersecurity Foundations

Previously

Data, encoding, and integrity

I want you to see how data turns into bits, how meaning is encoded, and why small changes can quietly break integrity.

This module

Networks, transport, and what leaks

Networks move data in pieces, not in one blob.

CIA and simple attacks

CIA is a simple lens I use to explain what went wrong and what to fix first.

Progress

Mark this module complete when you can explain it without rereading every paragraph.

Why this matters

Packet Metadata Port Protocol Network security concepts

What you will be able to do

1 Explain what headers, payloads, and metadata are
2 Explain why encrypted traffic can still leak behaviour patterns
3 Explain where DNS, TLS, and ports sit in a real connection
4 Name two signals you would keep for basic detection

Before you begin

No previous technical background required
Read the section explanation before using tools

Common ways people get this wrong

Blaming ‘the network’. If you cannot say which step failed, you do not have a diagnosis.
TLS as a magic shield. TLS protects data in transit. It does not fix weak authentication or broken access control.

Main idea at a glance

Diagram

OSI and TCP/IP layer mapping

`flowchart TB
subgraph OSI[OSI model]
  O7["7 Application"]
  O6["6 Presentation"]
  O5["5 Session"]
  O4["4 Transport\\nTCP or UDP"]
  O3["3 Network\\nIP routing"]
  O2["2 Data Link\\nEthernet or Wi-Fi"]
  O1["1 Physical\\nSignals on wire or air"]
end

subgraph TCPIP[TCP/IP model]
  T4["Application\\nHTTP, DNS, TLS"]
  T3["Transport\\nTCP or UDP"]
  T2["Internet\\nIP"]
  T1["Link\\nEthernet or Wi-Fi"]
end

O7 --> T4
O6 --> T4
O5 --> T4
O4 --> T3
O3 --> T2
O2 --> T1
O1 --> T1

classDef layer fill:#ffffff,stroke:#94a3b8,color:#0f172a;
class O7,O6,O5,O4,O3,O2,O1,T4,T3,T2,T1 layer;

style OSI fill:#f8fafc,stroke:#cbd5e1;
style TCPIP fill:#f8fafc,stroke:#cbd5e1;
`

OSI and TCP/IP layer mapping

Networks move data in pieces, not in one blob. This module shows how packets travel, what leaks even when content is encrypted, and how basic monitoring gives you options when prevention fails.

Prevention alone fails. Not because people are lazy, but because systems are complex. Something will slip. A password will leak. A laptop will go missing. A supplier will get compromised. Defence needs layers, and it needs feedback.

This aligns to the NIST Cybersecurity Framework 2.0 Protect, Detect, and Respond functions. Protect reduces likelihood. Detect reduces time to notice. Respond reduces harm and recovery time. Cyber Essentials Plus focuses on practical technical controls that support this loop. Examples include secure configuration, access control, malware protection, patch management, and boundary protections.

Logging matters before incidents. Logging If you do not collect basic logs, you cannot tell what happened. Then every incident becomes a guessing game. You end up with panic, broad resets, and lost time. A simple response plan beats a heroic late night. It tells people who decides, who communicates, and what evidence to preserve.

In real organisations, this is the difference between "we think it was this account" and "we can show the exact sequence of actions." It is also why detection engineering is a real job. Good teams treat detection as a product that is tuned, tested, and improved.

Everyday example. If a fire alarm goes off but nobody knows which room triggered it, everyone wastes time. If the alarm logs the room and the time, you can respond quickly and avoid a full building panic.

Common mistake. Turning on every log and then drowning in noise, or logging nothing and then trying to do forensics with guesses. Another common mistake is writing an incident plan that nobody has rehearsed.

Why it matters. Detection and response are how you limit harm when prevention fails. You cannot undo a breach with wishful thinking. You need evidence, speed, and clear ownership.

Under the hood, data still moves as packets. A packet has a header and a payload. The header is the envelope that tells the network where it is going. The payload is the content. Even when the payload is encrypted, metadata can still reveal behaviour. That is why monitoring often starts with patterns, not secrets.

Packet Metadata Port Protocol

Network security concepts

Network security concepts that matter first

HTTPS with TLS

Protects data in transit between browser and server, but metadata can still leak.
DNS as name resolution

Translates names to IP addresses and can be manipulated without suitable controls.
VPN as a trust shift

Encrypts local transport but introduces trust in the VPN provider.
Segmentation for containment

Separates trust zones so one compromise does not spread unchecked.

Common network attack patterns

Common attack patterns and first defences

Man in the middle (MitM)

Traffic interception risk reduced by TLS and strict certificate validation.
DNS hijacking

Name resolution redirection mitigated with DNSSEC and encrypted DNS.
Packet sniffing

Passive traffic capture made less useful through strong encryption.
ARP spoofing

Local identity confusion reduced by monitoring and secure network design.

Real world scenario. Home network security

Your home network is an attack surface too. Consider four areas.

Four home network priorities

Router baseline

Change defaults, update firmware, and isolate guest access.
IoT device controls

Treat cameras and smart devices as higher risk endpoints.
WiFi hardening

Use WPA3 where possible with strong passphrases and segmentation.
Device hygiene

Keep laptops, tablets, and phones updated with basic protection enabled.

Diagram

Home network containment pattern

`flowchart LR
Internet["Internet"] --> Router["Router and firewall"]
Router --> Trusted["Trusted devices"]
Router --> Guest["Guest network"]
Router --> IoT["IoT segment"]
IoT --> Camera["Smart camera"]
IoT --> Sensor["Smart sensor"]
Trusted --> Laptop["Laptop"]
Trusted --> Phone["Phone"]
Guest --> GuestDevice["Visitor device"]

Camera -. "Compromise attempt" .-> Trusted
Sensor -. "Suspicious traffic" .-> Router

classDef zone fill:#ffffff,stroke:#94a3b8,color:#0f172a;
class Internet,Router,Trusted,Guest,IoT,Camera,Sensor,Laptop,Phone,GuestDevice zone;

style Trusted fill:#ecfeff,stroke:#67e8f9;
style Guest fill:#fef9c3,stroke:#facc15;
style IoT fill:#fee2e2,stroke:#fca5a5;
`

Home network containment pattern

A compromised smart camera can be used to spy on you, launch attacks on other devices, or join a botnet for distributed denial-of-service (DDoS) attacks. Security isn't just about corporate networks.

Mental model

A request is a chain

Most ‘network problems’ are a chain of smaller steps. Diagnose the step, not the vibe.

1

DNS name
2

IP address
3

TCP connection
4

TLS session
5

HTTP request

Assumptions to keep in mind

Order matters. If name resolution fails, you never reach TLS. If TCP fails, HTTP never starts.
Trust is explicit. TLS only helps if certificates are validated and you trust the right name.

Failure modes to notice

Blaming ‘the network’. If you cannot say which step failed, you do not have a diagnosis.
TLS as a magic shield. TLS protects data in transit. It does not fix weak authentication or broken access control.

Key terms

Logging: Logging is recording important events so you can reconstruct what happened, spot anomalies, and prove or disprove a theory.
Packet: A small chunk of data with a header and payload used to move information across a network.
Metadata: Information about data such as source, destination, timing and size.
Port: A number that identifies which service or application should receive the traffic.
Protocol: An agreed set of rules that describe how data is formatted and transmitted.

Check yourself

Quick check. Networks and transport

0 of 5 opened

Scenario. You can open a site by IP address, but the domain name fails. Where should you look first

DNS. Name resolution is separate from the connection itself.

Scenario. A connection is encrypted, but someone can still see which services you are using. How

Metadata. The envelope still reveals destination IP, timing, and often domain via DNS or other patterns, even if payload is encrypted.

Scenario. A login works sometimes and fails on public Wi‑Fi. What network factors might explain it

Captive portals, blocked ports, DNS issues, or middleboxes interfering. You troubleshoot layer by layer rather than guessing.

Why are packets used instead of one large blob

Small packets are easier to route, resend on failure, and share network capacity.

What does TLS mainly protect

It protects confidentiality and integrity of data in transit between endpoints, but it does not hide all metadata.

Artefact and reflection

Artefact

A simple diagram of one network journey you use, with trust boundaries marked

Reflection

Where in your work would explain what headers, payloads, and metadata are change a decision, and what evidence would make you trust that change?

Optional practice

Choose a short message, press send, and watch it move through a simulated path showing layers, headers and payload.

Also in this module

Metadata leak explorer

Send example traffic and watch how timing, size and destination patterns still reveal behaviour.

Network Analysis Introduction

Learn about Wireshark and network protocol analysis. Explore resources for analysing real network traffic and identifying security issues.

DNS Trust and Security

Learn about DNS queries, DNS hijacking, DNSSEC, and how to identify typosquatting domains used in phishing.

Attack Surface Mapper

Practice mapping network architecture to identify where attackers might gain access and where trust boundaries should exist.