Network Security Basics
A network is a group of computers and devices connected together to share data and resources. The internet is the largest network in the world. Network security is the practice of protecting this web of connections from unauthorized access, misuse, and attacks.
Every time data moves from one device to another — a login request, an email, a bank transaction — it travels across a network. Securing that network means securing the road that data travels on. If the road is unsafe, every vehicle (data packet) traveling on it is at risk.
How a Basic Network Works
HOME / OFFICE NETWORK STRUCTURE:
Devices (Laptop, Phone, Printer)
│
▼
[SWITCH] ── connects all devices in the same location
│
▼
[ROUTER] ── connects the local network to the internet
│
▼
[MODEM] ── converts signal from ISP for use in local network
│
▼
INTERNET
Understanding these components helps in understanding where attacks happen and where defenses must be placed.
Key Networking Concepts for Security
IP Address
Every device on a network has a unique address called an IP (Internet Protocol) address. It works like a home address — data packets know where to go because of the IP address. Example: 192.168.1.10 is a typical local IP address.
Port
A port is a numbered channel through which a specific type of network traffic flows. Think of an IP address as the building and a port as the specific door inside that building. Port 80 is used for web traffic (HTTP). Port 443 is for secure web traffic (HTTPS). Port 25 handles email. Attackers scan for open ports to find ways into a system.
Protocol
A protocol is a set of rules for how data is formatted and transmitted. HTTP, HTTPS, FTP, and SSH are all protocols. Some protocols are secure (HTTPS encrypts data). Some are not (HTTP sends data in plain text).
Packet
Data does not travel as one big chunk. It breaks into small pieces called packets. Each packet contains a source address, destination address, and a portion of the actual data. Packets travel independently and reassemble at the destination.
EMAIL TRAVELING AS PACKETS: EMAIL CONTENT: "Hello, please find the attached report." BREAKS INTO: Packet 1: [From: A] [To: B] [Data: "Hello, please"] Packet 2: [From: A] [To: B] [Data: " find the attached"] Packet 3: [From: A] [To: B] [Data: " report."] Each packet takes its own route through the internet. All packets reassemble at destination to form the full email.
Types of Networks
| Network Type | Full Name | Coverage | Example |
|---|---|---|---|
| LAN | Local Area Network | Single building or floor | Office network, home Wi-Fi |
| WAN | Wide Area Network | Large geographic area | Internet, bank branch connections |
| MAN | Metropolitan Area Network | City-wide | City CCTV network |
| WLAN | Wireless Local Area Network | Same as LAN but wireless | Wi-Fi network at a café |
| VPN | Virtual Private Network | Any location via internet | Remote employees accessing office network |
Common Network Security Threats
Eavesdropping (Sniffing)
An attacker uses software to capture data packets as they travel across the network. On an unencrypted network (like public Wi-Fi), the captured packets reveal usernames, passwords, and private messages in plain text.
EAVESDROPPING ON PUBLIC WI-FI:
User's Laptop ──── (Unencrypted Wi-Fi) ──── Router
│
Attacker's Device
(Running packet sniffer)
│
Captures all packets
Reads: "Login: user@email.com / Pass: mypassword"
IP Spoofing
An attacker fakes their IP address to appear as a trusted device on the network. The receiving server thinks the request comes from a known, safe source and allows it through.
ARP Poisoning
ARP (Address Resolution Protocol) maps IP addresses to physical device addresses on a local network. In an ARP poisoning attack, the attacker sends false ARP messages to trick devices into routing their traffic through the attacker's machine — enabling a Man-in-the-Middle attack.
DNS Spoofing
DNS (Domain Name System) translates a website name (like google.com) into an IP address. In DNS spoofing, the attacker poisons the DNS records so that a legitimate website name points to a malicious IP address. The victim types the correct website URL but lands on a fake site.
DNS SPOOFING: Normal DNS: User types "mybank.com" → DNS says "IP: 203.0.113.10" → Real bank website Spoofed DNS: User types "mybank.com" → Poisoned DNS says "IP: 198.51.100.5" → Fake bank site User sees a perfect copy of the bank site → Enters credentials → STOLEN
Network Segmentation
Network segmentation divides a large network into smaller sections called segments or subnets. Each segment is isolated. If an attacker breaks into one segment, they cannot automatically access the rest of the network. This limits the damage of any single breach.
WITHOUT SEGMENTATION:
[Attacker enters via Guest Wi-Fi]
│
▼
[Full Access to ALL systems: HR, Finance, R&D, Customer Data]
WITH SEGMENTATION:
[Attacker enters via Guest Wi-Fi]
│
▼
[Guest Segment only — cannot reach HR, Finance, or R&D]
│
[Firewall blocks] ── HR Segment
── Finance Segment
── R&D Segment
The DMZ (Demilitarized Zone)
A DMZ is a special network segment that sits between the public internet and the internal private network. Public-facing servers — like web servers and email servers — go into the DMZ. This way, even if an attacker compromises the web server, they still face another firewall before reaching the internal corporate network.
NETWORK LAYOUT WITH DMZ: INTERNET │ [Outer Firewall] │ DMZ ── Web Server, Email Server, DNS Server │ [Inner Firewall] │ INTERNAL NETWORK ── Employee Computers, HR Database, Finance Systems
VPN (Virtual Private Network)
A VPN creates an encrypted tunnel between a device and a network. All data passing through this tunnel is encrypted. Even if an attacker captures the data packets, they only see unreadable cipher text. VPNs are widely used by remote employees to securely connect to their company's internal network.
WITHOUT VPN (Remote Work): Employee's Home PC ──(unencrypted)──► Company Network Any eavesdropper on the path can read the data WITH VPN: Employee's Home PC ══(encrypted tunnel)══► Company Network Eavesdropper captures data → sees: #$&@!*^% (unreadable)
Wireless Network Security
Wireless networks introduce additional risks because signals travel through the air and any nearby device can attempt to connect. Securing Wi-Fi requires specific measures.
| Security Measure | What It Does |
|---|---|
| WPA3 Encryption | Encrypts all data on the wireless network. WPA3 is the strongest current standard. |
| Strong Wi-Fi Password | Prevents unauthorized devices from joining the network. |
| Hidden SSID | Hides the network name from casual discovery. Not foolproof but adds a layer. |
| MAC Address Filtering | Only allows devices with approved hardware addresses to connect. |
| Guest Network | Creates a separate Wi-Fi for visitors so they cannot access the main network. |
Secure vs. Insecure Protocols
Protocol choice directly affects data security during transmission.
| Insecure Protocol | Secure Alternative | Use Case |
|---|---|---|
| HTTP | HTTPS | Web browsing |
| FTP | SFTP / FTPS | File transfer |
| Telnet | SSH | Remote server access |
| SMTP (plain) | SMTP with TLS | Email transmission |
| DNS (plain) | DNS over HTTPS (DoH) | Domain name resolution |
Always using HTTPS instead of HTTP is one of the simplest and most impactful network security steps any individual can take. A padlock icon in the browser address bar confirms an HTTPS connection.
Network security creates the foundation for everything else. With this foundation in place, the next level of protection involves firewalls and intrusion detection systems — the active gatekeepers that control and monitor what enters and exits a network.