Networking Basics for Security

⏱ 12 min read · 1 quiz question

You don't need to be a network engineer to work in a SOC. But you do need to understand the basics — because almost every security alert involves network traffic in some way. This module covers just enough networking to make sense of what you'll see on the job.

IP Addresses

Every device on a network has an IP address — a unique number that identifies it, like a home address. When your computer sends data to a website, it uses IP addresses to know where to send it and where the response should come back.

There are two types:

IPv4 — The most common format. Looks like four numbers separated by dots: 192.168.1.1
IPv6 — A newer format with more possible addresses. Looks like: 2001:0db8:85a3::8a2e:0370:7334

Why it matters in a SOC: When an alert fires, one of the first things you look at is the source IP. Where is this traffic coming from? Is it an internal address or an external one? Is it on a known bad-actor list?

Private vs. Public IPs

IP addresses fall into two categories. Private IPs are used inside a network — your home router gives your laptop a private IP like 192.168.x.x. Public IPs are visible on the internet. When you see a private IP in an alert, the traffic is internal. A public IP means traffic is coming from or going to the outside world.

Ports

If an IP address is like a building's street address, a port is like the apartment number. A single server can run many different services at once — web, email, file transfers — and each one listens on a different port number.

Some ports you'll see constantly in a SOC:

Port	Protocol	What it's used for
80	HTTP	Unencrypted web traffic
443	HTTPS	Encrypted web traffic
22	SSH	Secure remote login to servers
3389	RDP	Remote Desktop (Windows)
53	DNS	Domain name lookups
25	SMTP	Email sending

Red flag: Seeing traffic on unusual ports — or common services running on unexpected ports — is often a sign of malicious activity. Attackers sometimes run SSH on port 443 to blend in with normal HTTPS traffic.

Protocols

A protocol is a set of rules for how data is formatted and transmitted. Think of it as the language two computers agree to speak. The main ones you need to know:

TCP (Transmission Control Protocol) — Reliable, connection-based. Confirms data was received. Used for web browsing, email, file downloads.
UDP (User Datagram Protocol) — Faster but no delivery confirmation. Used for video streaming, DNS lookups, VoIP.
HTTP/HTTPS — The protocol your browser uses to load web pages. HTTPS is the encrypted version.
DNS — Translates human-readable domain names (google.com) into IP addresses. Happens every time you visit a website.
ICMP — Used by tools like ping to test network connectivity. Attackers sometimes use it to sneak data out of a network.

DNS — The Phone Book of the Internet

DNS deserves special attention because it shows up constantly in security alerts. When you type google.com into your browser, your computer doesn't actually know where Google is. It asks a DNS server: "What's the IP address for google.com?" The DNS server responds with something like 142.250.80.46, and your browser connects there.

Attackers abuse DNS in several ways — using it to communicate with malware, hide data in DNS queries, or redirect users to fake websites. Suspicious DNS queries to strange domains are one of the most common things you'll investigate as a SOC analyst.

HTTP vs. HTTPS

HTTP sends data in plain text — anyone watching the network can read it. HTTPS encrypts the data so only the sender and receiver can read it. As a SOC analyst, encrypted HTTPS traffic is harder to inspect, but you can still see the destination, the amount of data transferred, and the timing.

Practical tip: Malware often communicates back to its command server over HTTPS to blend in with normal traffic. Seeing a process make unusual HTTPS connections — especially to random-looking domains — is worth investigating.

How data travels: packets

Data doesn't travel across a network as one big chunk. It's broken into small pieces called packets. Each packet contains a header (source IP, destination IP, port, protocol) and a payload (the actual data). Security tools capture and analyze these packets to detect threats.

When you look at logs in a SIEM, you're essentially looking at summaries of packet traffic — who sent what, where, when, and how much.

Key Terms

IP address

A unique number assigned to every device on a network, used to identify where to send and receive data.

Port

A number (0–65535) that identifies a specific service or application on a device. Like an apartment number on a building.

Protocol

A standardized set of rules that defines how data is formatted and transmitted between devices.

DNS

Domain Name System. Translates domain names like google.com into IP addresses computers can use to connect.

Packet

A small unit of data transmitted over a network, containing a header with routing info and a payload with content.

TCP

Transmission Control Protocol. A reliable, connection-based protocol that confirms data delivery. Used for web and email.

✦ Quick Check

An alert shows inbound traffic from an unknown external IP hitting port 3389. What service is most likely being targeted?

HTTPS web traffic

DNS name resolution

Windows Remote Desktop (RDP)

Email (SMTP)

← Previous

Next: How Attacks Work →