← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Module 02 · Cyberspace Tech Solutions Cybersecurity Curriculum

Networking Fundamentals

~60 minutes covering OSI/TCP-IP models, IP addressing, subnetting, network devices and protocols — with interview Q&A, MCQs, and hands-on simulations.

20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes

Learning Outcomes

  • Grasp the structure and function of computer networks (OSI & TCP/IP)
  • Configure and interpret basic network settings including IP addressing and subnetting
  • Analyse network traffic and identify anomalies

Topics Covered

#TopicTimeType
1Core Concepts — OSI, TCP/IP, Devices, Protocols10 minReading
2Interview Questions & Answers (20)20 minQ&A
3MCQ Quiz (25 questions)15 minQuiz
4OSI Layer Matcher4 minSimulation
5Subnet Calculator4 minSimulation
6Protocol Classifier4 minSimulation
7Network Device Identifier3 minSimulation
💡 Tip: Networking fundamentals underpin every security role. Interviewers at all levels test OSI model knowledge, subnetting, and protocol awareness — know these cold.
Core Concepts · ~10 min

Networking Fundamentals

OSI 7-Layer Model

Mnemonic (top→bottom): Please Do Not Throw Sausage Pizza Away — Physical, Data Link, Network, Transport, Session, Presentation, Application

#LayerFunctionExamples
7ApplicationUser-facing services, network APIsHTTP, FTP, DNS, SMTP, SSH
6PresentationData translation, encryption, compressionTLS/SSL, JPEG, ASCII, MPEG
5SessionEstablishes/maintains/terminates sessionsNetBIOS, RPC, Sockets
4TransportEnd-to-end delivery, flow/error controlTCP, UDP, port numbers
3NetworkLogical addressing, routingIP, ICMP, ARP (logically), routers
2Data LinkMAC addressing, frame deliveryEthernet, Wi-Fi (802.11), switches
1PhysicalRaw bit transmission over mediumCables, hubs, radio signals

TCP/IP 4-Layer Model vs OSI

TCP/IP LayerEquivalent OSI LayersKey Protocols
Application7 + 6 + 5HTTP, FTP, DNS, SMTP, SSH, TLS
Transport4TCP, UDP
Internet3IP, ICMP, ARP
Network Access (Link)2 + 1Ethernet, Wi-Fi, MAC
💡 TCP/IP is the real-world implementation; OSI is the conceptual reference model. Security certifications test OSI; real networks use TCP/IP.

IPv4 Addressing & Subnetting

ClassRangeDefault MaskUse
A1.0.0.0 – 126.255.255.255/8 (255.0.0.0)Large enterprises
B128.0.0.0 – 191.255.255.255/16 (255.255.0.0)Medium networks
C192.0.0.0 – 223.255.255.255/24 (255.255.255.0)Small networks
D224.0.0.0 – 239.255.255.255N/AMulticast

Private ranges (RFC 1918): 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 — not routable on the internet.
Loopback: 127.0.0.1 — always refers to "this machine".
CIDR example: 192.168.1.0/24 → 256 addresses (254 usable), subnet mask 255.255.255.0.

Network Devices

DeviceOSI LayerFunction
Hub1 (Physical)Broadcasts all traffic to every port — creates collision domains
Switch2 (Data Link)Forwards frames by MAC address — breaks collision domains
Router3 (Network)Routes packets between networks by IP address
Firewall3–7Filters traffic by rules; stateful/NGFW inspects deeply
IDS/IPS3–7Detects (IDS) or blocks (IPS) suspicious traffic
Load Balancer4–7Distributes traffic across multiple servers
Proxy7 (Application)Intermediary — content filtering, anonymity, caching
Interview Q&A · ~20 min · 20 Questions

Interview Questions & Model Answers

Click any question to reveal the model answer.

1What are the 7 layers of the OSI model and their functions?Easy
The OSI (Open Systems Interconnection) model has 7 layers (top to bottom):

  • 7 — Application: User-facing protocols (HTTP, FTP, DNS, SMTP). Where the app interacts with the network.
  • 6 — Presentation: Data translation, encryption (TLS), compression (JPEG). Makes data readable.
  • 5 — Session: Manages sessions between applications — establishment, maintenance, termination.
  • 4 — Transport: End-to-end delivery using TCP (reliable) or UDP (fast). Port numbers live here.
  • 3 — Network: Logical addressing (IP) and routing between networks. Routers operate here.
  • 2 — Data Link: MAC addressing, frame delivery within a LAN. Switches operate here.
  • 1 — Physical: Raw bit transmission — cables, electrical signals, hubs, radio waves.
💡 Mnemonic bottom→top: Please Do Not Throw Sausage Pizza Away. Security attacks target specific layers — DDoS hits L3/L4, XSS hits L7, ARP spoofing hits L2.
2What is the difference between TCP and UDP?Easy
FeatureTCPUDP
ConnectionConnection-oriented (3-way handshake)Connectionless
ReliabilityGuaranteed delivery, retransmissionNo guarantee — fire and forget
OrderingSequence numbers ensure orderNo ordering
SpeedSlower (overhead)Faster (low overhead)
Use casesHTTP, HTTPS, SSH, FTP, emailDNS, VoIP, video streaming, gaming
💡 Security angle: UDP is easier to spoof (no handshake) — many amplification DDoS attacks use UDP (DNS, NTP, SSDP amplification). TCP SYN floods exploit the handshake state.
3What is the difference between a hub, switch, and router?Easy
  • Hub (L1): Broadcasts all traffic to every port. No intelligence. Creates collisions. Rarely used today — replaced by switches. Security risk: any connected device sees all traffic (passive sniffing).
  • Switch (L2): Maintains a MAC address table. Forwards frames only to the correct port. Reduces collisions. More secure than hubs but vulnerable to MAC flooding and ARP spoofing.
  • Router (L3): Routes packets between different networks using IP addresses. Maintains routing tables. Connects a LAN to the internet (WAN). Can perform NAT, DHCP, basic ACLs.
💡 A Layer 3 switch combines switch and basic routing functionality — common in enterprise networks for inter-VLAN routing without a dedicated router.
4What is subnetting and why is it used?Medium
Subnetting divides a large IP network into smaller sub-networks (subnets) by borrowing bits from the host portion of the address.

Why it's used:
  • Efficient IP use: Allocate only the address space needed.
  • Improved performance: Reduces broadcast domain size.
  • Security: Isolate network segments (HR vs Finance vs DMZ).
  • Organisation: Logical grouping of devices.
Example: 192.168.1.0/26 gives 4 subnets of 64 addresses each (62 usable per subnet).
Formula: Usable hosts = 2^(host bits) − 2 (subtract network and broadcast addresses).
💡 Security teams use subnetting to enforce network segmentation — attackers who compromise one subnet cannot directly reach another segment.
5What is NAT (Network Address Translation)?Medium
NAT translates private IP addresses to a single public IP address (or a pool) when traffic leaves a private network to the internet — and vice versa for return traffic.

  • Static NAT: 1-to-1 mapping (private IP ↔ public IP).
  • Dynamic NAT: Pool of public IPs shared among private hosts.
  • PAT (Port Address Translation / NAT Overload): Many private IPs share one public IP using unique port numbers — most common home/office setup.
Security benefits: Private IPs are hidden from the internet; external hosts cannot initiate connections to internal hosts (by default).
💡 NAT is NOT a security control — it's a workaround for IPv4 exhaustion. It provides security obscurity but not access control. Use firewalls for actual security.
6What is the difference between IPv4 and IPv6?Medium
FeatureIPv4IPv6
Address size32-bit (~4.3 billion)128-bit (~340 undecillion)
FormatDotted decimal: 192.168.1.1Hex colon: 2001:db8::1
NAT requiredYes (address exhaustion)No (enough addresses for every device)
HeaderVariable length, complexFixed 40-byte, simpler
SecurityIPSec optionalIPSec built-in (mandatory in design)
Auto-configDHCP neededSLAAC (stateless auto-configuration)
7What is a VLAN and what is it used for?Medium
A VLAN (Virtual LAN) is a logical segmentation of a physical network into isolated broadcast domains — configured on managed switches without requiring separate physical hardware.

Uses:
  • Security: Isolate sensitive departments (HR, Finance, IoT devices).
  • Performance: Reduce broadcast traffic.
  • Flexibility: Group users by role regardless of physical location.
VLANs are identified by a tag (IEEE 802.1Q). Traffic between VLANs requires a router or L3 switch (inter-VLAN routing).
💡 VLAN hopping attacks (switch spoofing, double tagging) can bypass VLAN isolation. Mitigate by disabling trunk auto-negotiation and restricting VLAN membership.
8How does DNS work? Walk me through a DNS query.Medium
DNS (Domain Name System) translates human-readable domain names (e.g., google.com) to IP addresses.

DNS resolution process:
  1. Browser checks local cache → OS cache → hosts file.
  2. If not found, query goes to the Recursive Resolver (usually ISP's DNS).
  3. Resolver queries the Root Name Server → gets referral to TLD server (e.g., .com).
  4. Resolver queries the TLD Name Server (.com) → gets referral to authoritative server.
  5. Resolver queries the Authoritative Name Server for google.com → gets the A record (IP).
  6. Resolver returns IP to client; result cached with TTL.
💡 Security attacks: DNS spoofing/cache poisoning (forging DNS responses), DNS tunnelling (C2 over DNS), DNS amplification DDoS. Use DNSSEC to sign records.
9What is the difference between HTTP and HTTPS?Easy
  • HTTP (port 80): HyperText Transfer Protocol. Data transmitted in plaintext. Vulnerable to eavesdropping and MitM attacks.
  • HTTPS (port 443): HTTP over TLS (Transport Layer Security). Encrypts data in transit. Provides: Confidentiality (encryption), Integrity (MAC), Authentication (certificates).
TLS uses a handshake to establish a session: client hello → server hello + certificate → key exchange → session established with symmetric key.
💡 A padlock icon in a browser means TLS is active — but it only means the connection is encrypted, NOT that the site is trustworthy. Phishing sites use HTTPS too.
10What is ARP and how does ARP spoofing work?Medium
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. When a device wants to communicate with 192.168.1.1, it broadcasts "Who has 192.168.1.1?" — the owner replies with its MAC address.

ARP Spoofing: ARP is stateless and trusts all replies. An attacker sends gratuitous ARP replies, claiming their MAC address maps to the gateway's IP — redirecting all traffic through the attacker (Man-in-the-Middle).

Mitigations: Dynamic ARP Inspection (DAI) on switches, static ARP entries, VLAN segmentation, detection tools (arpwatch, XArp).
💡 ARP spoofing is a Layer 2 attack — firewalls at Layer 3 cannot see or stop it. It must be mitigated at the switch/VLAN level.
11What is the TCP three-way handshake?Easy
The TCP three-way handshake establishes a reliable connection before data transfer:

  1. SYN: Client sends a SYN packet with a random sequence number (ISN) to the server.
  2. SYN-ACK: Server replies with SYN-ACK, acknowledging the client's ISN and sending its own ISN.
  3. ACK: Client acknowledges the server's ISN. Connection established.
Termination (4-way): FIN → FIN-ACK → FIN → FIN-ACK.
💡 SYN flood attack: attacker sends thousands of SYN packets without completing the handshake, exhausting server connection tables. Mitigated with SYN cookies, rate limiting.
12What is a MAC address and how is it different from an IP address?Easy
FeatureMAC AddressIP Address
LayerLayer 2 (Data Link)Layer 3 (Network)
Format48-bit hex: AA:BB:CC:DD:EE:FFIPv4 32-bit dotted decimal
Assigned byHardware manufacturer (burned-in)Network administrator or DHCP
ScopeLocal network only (not routed)Globally routable (public IPs)
ChangeableCan be spoofed in softwareYes (static or dynamic)
💡 MAC addresses are only relevant within the local subnet. Once a packet crosses a router, the MAC header is replaced. MAC filtering as a security control is weak — MACs can be spoofed.
13What is DHCP and how does it work?Easy
DHCP (Dynamic Host Configuration Protocol, port 67/68) automatically assigns IP addresses and network config to devices.

DORA process:
  1. Discover: Client broadcasts a DHCP Discover message.
  2. Offer: DHCP server offers an IP address.
  3. Request: Client requests the offered IP.
  4. Acknowledge: Server confirms the lease.
DHCP provides: IP address, subnet mask, default gateway, DNS server, lease duration.
💡 DHCP starvation attack: attacker floods DHCP with requests to exhaust the IP pool → new devices get no IP. Rogue DHCP: attacker sets up fake DHCP server to assign itself as gateway (MitM). Mitigate with DHCP snooping on switches.
14What is the difference between a stateful and stateless firewall?Medium
  • Stateless (Packet Filtering): Inspects each packet independently based on static rules (source/dest IP, port, protocol). Fast but cannot understand connection context. Vulnerable to IP spoofing and fragmentation attacks.
  • Stateful Inspection: Tracks the state of active connections in a state table. Knows whether a packet is part of an established, legitimate connection. Blocks unsolicited inbound packets that aren't part of known sessions.
💡 Modern Next-Gen Firewalls (NGFW) go further — deep packet inspection, application awareness (can identify apps on any port), IDS/IPS integration, and SSL decryption.
15What is network segmentation and why is it important for security?Medium
Network segmentation divides a network into isolated zones to control traffic flow between segments.

Security importance:
  • Limits lateral movement — if an attacker compromises one segment, they cannot freely reach others.
  • Reduces blast radius of an incident.
  • Isolates sensitive systems (payment, healthcare, industrial controls).
  • Improves monitoring — traffic between segments passes through control points.
Methods: VLANs, subnets, firewalls between zones, DMZ, microsegmentation (software-defined).
💡 PCI-DSS requires network segmentation to isolate cardholder data environments (CDE). Failure to segment means the entire network falls in scope for audits.
16What is a proxy server and what security benefits does it offer?Medium
A proxy server acts as an intermediary between clients and servers, handling requests on behalf of the client.

Security benefits:
  • Content filtering: Block malicious or unauthorized sites.
  • Anonymity: Hides internal IP addresses from external servers.
  • Caching: Reduces bandwidth, speeds up repeated requests.
  • SSL inspection: Decrypt and inspect HTTPS traffic for malware (SSL-breaking proxy).
  • Logging: Full visibility into user web activity.
Types: Forward proxy (client-side), Reverse proxy (server-side — protects web servers), Transparent proxy.
💡 A reverse proxy (e.g., Nginx, HAProxy) placed in front of web servers hides the real server IPs, provides load balancing, and can offer WAF capabilities.
17Explain symmetric vs asymmetric routing.Hard
  • Symmetric routing: Traffic flows through the same path in both directions (client→server and server→client pass through the same router/firewall). Stateful firewalls work correctly.
  • Asymmetric routing: Return traffic takes a different path than outbound. Can break stateful firewalls that need to see both directions of a connection. Common in multi-homed networks, load balancers, and BGP setups.
Why it matters for security: Asymmetric routing can cause firewall state table issues — the firewall sees only one direction and may drop legitimate return packets (false positives) or miss attacks in the return path.
💡 Solutions: Disable stateful inspection on specific paths, use route policies to enforce symmetry, or deploy stateless ACLs where asymmetry is unavoidable.
18What is BGP and why is it important?Hard
BGP (Border Gateway Protocol) is the routing protocol that governs how packets are routed across the internet between autonomous systems (AS) — large networks like ISPs, cloud providers, enterprises.

Why important:
  • BGP is the "glue of the internet" — every ISP uses it to exchange routing information.
  • BGP route hijacking: an AS announces ownership of IP prefixes it doesn't control, redirecting traffic (used for espionage, traffic interception). Example: 2010 China Telecom BGP hijack affected 15% of internet routes.
  • BGP is based on trust — limited authentication (BGPsec exists but rarely deployed).
💡 Resource Public Key Infrastructure (RPKI) allows route origin validation to combat BGP hijacking — becoming more widely adopted.
19What is a packet and what does it contain?Easy
A packet is the fundamental unit of data transmission in a network. It consists of:

  • Header: Control information — source/destination IP, protocol, TTL, flags, checksum.
  • Payload (Data): The actual application data being transmitted.
  • Trailer (optional): Error detection — CRC checksum (at Layer 2, called a frame).
At each OSI layer, encapsulation adds a new header:
Application data → TCP segment (L4 header added) → IP packet (L3 header) → Ethernet frame (L2 header + trailer) → bits on wire (L1).
💡 This process is called encapsulation (sending) and de-encapsulation (receiving). Packet analysis tools like Wireshark let you inspect every header field — essential for network forensics.
20What is the difference between a broadcast, unicast, and multicast?Easy
TypeDestinationExampleUse
UnicastOne specific deviceHTTP request to 93.184.216.34Normal point-to-point communication
BroadcastAll devices in subnetARP request to 255.255.255.255DHCP Discover, ARP — not routed beyond subnet
MulticastA defined group of devices224.0.0.1 (all hosts)Video streaming, OSPF, routing protocol updates
💡 Broadcast storms can bring down a network — a broadcast triggers more broadcasts in a loop (e.g., due to a STP loop). Switches use Spanning Tree Protocol (STP) to prevent loops.

MCQ Quiz · ~15 min · 25 Questions

Multiple Choice Questions

Select an answer then click Check. Explanations shown after each submission.

MCQ Progress:
0 / 25
Simulation 1 · ~4 min

OSI Layer Matcher

Drag each scenario chip into the correct OSI layer zone.

HTTP web request
SSL/TLS encryption
Session token management
TCP port 443 segmentation
IP packet routing
MAC address framing
Cable signal transmission
Layer 7 — Application
Layer 6 — Presentation
Layer 5 — Session
Layer 4 — Transport
Layer 3 — Network
Layer 2 — Data Link
Layer 1 — Physical
Simulation 2 · ~4 min

Subnet Calculator

Enter an IPv4 address and CIDR prefix — the calculator shows all subnet details.

💡 Try /24 (256 addresses), /25 (128), /26 (64), /27 (32), /28 (16), /30 (4 — point-to-point links).
Simulation 3 · ~4 min

Protocol Classifier

Assign each protocol to its correct OSI layer using the dropdown.

Simulation 4 · ~3 min

Network Device Identifier

Read each description and select the correct network device.

Reference Table

Key Protocols Reference

Common protocols with port numbers, OSI layer, and security notes.

ProtocolPortLayerPurposeSecurity Note
HTTP807Web browsing (unencrypted)Use HTTPS instead — plaintext
HTTPS4437Encrypted web browsing (TLS)Preferred — encrypts in transit
FTP20/217File transfer (unencrypted)Use SFTP/FTPS — plaintext creds
SFTP227Secure file transfer (SSH)Preferred for file transfers
SSH227Secure remote shellUse key auth, disable password auth
Telnet237Remote terminal (unencrypted)Never use — all traffic plaintext
SMTP25/5877Send email587 uses STARTTLS; 25 often blocked
DNS537Name resolutionUse DNS over HTTPS/TLS; DNSSEC
DHCP67/687Dynamic IP assignmentEnable DHCP snooping on switches
POP3110/9957Retrieve email995 is POP3S (TLS)
IMAP143/9937Retrieve/manage email993 is IMAPS (TLS)
HTTPS (TLS)4436TLS encryption/decryptionTLS 1.3 preferred; disable TLS 1.0/1.1
TCP4Reliable connection-oriented transportSYN flood mitigation needed
UDP4Fast connectionless transportEasy to spoof; DDoS amplification
IP (v4/v6)3Logical addressing and routingIP spoofing possible without RPF
ICMP3Ping, traceroute, error messagesICMP tunnelling; block unnecessary ICMP
ARP2IP-to-MAC resolutionARP spoofing; use DAI
Ethernet2LAN frame deliveryMAC flooding; port security on switches
BGP1793Inter-AS internet routingBGP hijacking; deploy RPKI
OSPF893Interior routing protocolAuthenticate OSPF peers
🎉

Module Complete!

You've completed Networking Fundamentals. Review any section via the sidebar.