You cannot secure a network you don't understand. This lesson builds the mental model every defender relies on.
| # | Layer | Job | Example |
|---|---|---|---|
| 7 | Application | User-facing protocols | HTTP, DNS, SMTP |
| 6 | Presentation | Encoding, encryption | TLS, JPEG |
| 5 | Session | Connection management | RPC, sockets |
| 4 | Transport | End-to-end delivery | TCP, UDP |
| 3 | Network | Routing between networks | IP, ICMP |
| 2 | Data Link | Local delivery (MAC) | Ethernet, ARP |
| 1 | Physical | Bits on the wire | Cables, Wi-Fi radio |
Mnemonic (top→bottom): All People Seem To Need Data Processing.
Attacks happen at every layer — ARP spoofing (L2), IP spoofing (L3), SYN floods (L4), HTTP injection (L7). Knowing the layer tells you where to put the control.
Real networks use the 4-layer TCP/IP model: Link → Internet → Transport → Application.
| TCP | UDP | |
|---|---|---|
| Connection | Connection-oriented (handshake) | Connectionless |
| Reliability | Guaranteed, ordered delivery | Best-effort |
| Speed | Slower (overhead) | Faster |
| Use | Web, email, file transfer | DNS, VoIP, gaming, streaming |
Client ──SYN──▶ Server
Client ◀─SYN/ACK── Server
Client ──ACK──▶ Server (connection established)
Attackers abuse this: a SYN flood sends thousands of SYNs without completing the handshake, exhausting server resources (a DoS technique).
192.168.1.10 (32-bit). IPv6: 2001:db8::1 (128-bit).10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.When you read a firewall rule, a packet capture, or an IDS alert, you're navigating these layers and fields. A log line like SRC=203.0.113.5 DST=10.0.0.20 PROTO=TCP DPT=22 tells you someone from the internet is hitting your SSH port — and now you know exactly what to investigate.