Networks are the foundation of modern computing. Before you can defend them, you need to understand how they are structured and how data travels from one device to another.

What is a LAN?

A Local Area Network (LAN) connects devices within a limited area — a home, office, or school building. Technologies like Ethernet, Wi-Fi, and Bluetooth all form LANs. In a typical home network:
  • A router connects your LAN to your Internet Service Provider (ISP).
  • The router contains a built-in switch that connects wired devices using MAC addresses to deliver data to the right destination.
  • Wi-Fi extends the LAN wirelessly.
The internet itself is just a massive network of interconnected LANs and larger networks. The path from your device to a web server typically looks like this: 
Your device → LAN → ISP → Autonomous System (AS) → Internet Exchange Point (IXP) → ... → destination
A hub broadcasts all incoming data to every connected device. A switch is smarter — it learns which device is on which port and forwards data only to the intended recipient. Switches have largely replaced hubs.

Layered architecture

Networks are complex. To manage that complexity, engineers divide networking functions into distinct layers. Two models describe these layers: the OSI model and the TCP/IP model.

The OSI model

The OSI (Open Systems Interconnection) model has seven layers. Each layer handles a specific job and passes data up or down to the layer above or below it.
#LayerWhat it doesSecurity relevance
7ApplicationProvides services to end-user applications (HTTP, FTP, SMTP, DNS)Vulnerabilities in app protocols (e.g., cleartext HTTP, email spoofing)
6PresentationTranslates data formats; handles encryption and compression (SSL/TLS, encoding)Weak encryption or misconfigured TLS affects data confidentiality
5SessionEstablishes, manages, and terminates sessions between applications (APIs, sockets)Session hijacking, token theft
4TransportEnd-to-end delivery; error checking, flow control (TCP, UDP)TCP SYN flood attacks, port scanning
3NetworkRoutes packets between different networks using IP addresses (IP, routers)IP spoofing, routing table poisoning, BGP hijacking
2Data LinkNode-to-node transfer within a network; uses MAC addresses (Ethernet, Wi-Fi)ARP poisoning, MAC flooding, rogue access points
1PhysicalTransmits raw bits over cable, fiber, or radioWiretapping, signal jamming, rogue devices
A common mnemonic for the layers from top to bottom: All People Seem To Need Data Processing (Application, Presentation, Session, Transport, Network, Data Link, Physical).

The TCP/IP model

The TCP/IP model is the practical model used on the internet. It collapses the OSI’s seven layers into four:
TCP/IP layerEquivalent OSI layers
ApplicationSession (5), Presentation (6), Application (7)
TransportTransport (4)
InternetNetwork (3)
LinkPhysical (1) + Data Link (2)
The TCP/IP model is less granular but maps more directly to how real protocols are implemented.

How data travels: packet switching

The internet does not send data as a continuous stream. Instead, it uses packet switching:
  1. Data is broken into smaller chunks called packets.
  2. Each packet contains the actual data plus metadata: source and destination addresses, sequence numbers, and error-checking information.
  3. Packets travel independently and may take different routes.
  4. The receiving device reassembles the packets into the original data.
This approach is efficient and fault-tolerant — if one route fails, packets can take another. However, it also means that packets from your device may transit through many different countries and organizations, each of which could potentially intercept them.

Identity and addressing

Every device on a network needs a unique identifier. Two different address types work at different layers:
  • MAC addresses (Layer 2): Hardware addresses burned into a network interface card (NIC), formatted as six pairs of hexadecimal digits (e.g., 00:1A:2B:3C:4D:5E). Used within a LAN to deliver frames to the correct device.
  • IP addresses (Layer 3): Logical addresses assigned by network administrators or ISPs. Used to route packets across different networks. IPv4 uses 32-bit addresses (192.168.1.1); IPv6 uses 128-bit addresses.
  • Domain names (Layer 7): Human-readable names like www.example.com, translated to IP addresses by DNS.
Address-based attacks are a major threat category. ARP poisoning manipulates the MAC-to-IP mapping within a LAN to intercept traffic. DNS cache poisoning manipulates the domain-to-IP mapping to redirect users to malicious servers. IP spoofing fakes the source address in a packet to impersonate another device.

Application multiplexing: ports

A single device runs many applications simultaneously. Ports (Layer 4) tell the operating system which application should handle an incoming packet.
  • Well-known ports (0–1023): Assigned to standard services — HTTP uses port 80, HTTPS uses 443, SSH uses 22, FTP uses 21.
  • Ephemeral ports (1024–65535): Randomly assigned to client applications for the duration of a connection.
A socket combines an IP address and port number into a unique connection identifier, e.g., 192.168.1.1:443.
Every open port is a potential entry point for attackers. Services listening on ports can contain exploitable vulnerabilities. Port scanning tools like nmap identify which ports are open on a target — this is typically one of the first steps in a network attack.
Physical access is the most fundamental security concern. If an attacker can plug a device into your network or intercept your cables, software-based defenses become far less effective. Common Layer 1–2 threats include:
  • Wiretapping: Copper cables emit electromagnetic signals that can be captured passively.
  • Jamming: Flooding the wireless spectrum to prevent legitimate communication (a DoS attack against the physical medium).
  • Rogue devices: An attacker plugging a device into an unmonitored wall port bypasses perimeter firewalls entirely.
  • ARP poisoning: Sending fake ARP replies to associate the attacker’s MAC address with a legitimate IP, redirecting traffic through the attacker (a man-in-the-middle attack).
  • MAC flooding: Overflowing a switch’s MAC address table so it falls back to broadcasting all traffic, enabling passive interception.
Rule #1: If an attacker has physical access to your network, software-based security measures alone cannot protect it.