TCP/IP Model and Protocols: A Complete Guide for ISC2 CC Exam
Why is the TCP/IP Model Important?
The TCP/IP (Transmission Control Protocol/Internet Protocol) model is the foundational framework that governs how data is transmitted across the internet and virtually all modern networks. For cybersecurity professionals, understanding this model is absolutely essential because:
• Every network-based attack exploits vulnerabilities at one or more layers of the TCP/IP model.
• Firewalls, intrusion detection systems, and other security controls operate at specific layers.
• Troubleshooting network issues requires understanding how data flows through each layer.
• Security policies and access controls are often implemented based on protocol-level understanding.
• The ISC2 CC exam tests your ability to understand network fundamentals, and the TCP/IP model is at the heart of network security.
What is the TCP/IP Model?
The TCP/IP model is a four-layer conceptual framework that describes how data is packaged, addressed, transmitted, routed, and received across a network. It was developed by the U.S. Department of Defense and became the standard for internet communications.
The four layers of the TCP/IP model, from top to bottom, are:
1. Application Layer
This is the topmost layer and is closest to the end user. It provides network services directly to applications. It combines the functions of the OSI model's Application, Presentation, and Session layers.
Key Protocols:
• HTTP/HTTPS (Port 80/443) – Web browsing. HTTPS adds encryption via TLS/SSL.
• FTP (Port 20/21) – File transfer. Port 21 for control, Port 20 for data.
• SFTP (Port 22) – Secure file transfer over SSH.
• SSH (Port 22) – Secure remote access and encrypted communication.
• Telnet (Port 23) – Remote access (unencrypted, insecure).
• SMTP (Port 25) – Sending email.
• POP3 (Port 110) – Retrieving email (downloads and deletes from server).
• IMAP (Port 143) – Retrieving email (syncs with server).
• DNS (Port 53) – Resolves domain names to IP addresses.
• DHCP (Port 67/68) – Dynamically assigns IP addresses to devices.
• SNMP (Port 161/162) – Network management and monitoring.
• LDAP (Port 389) – Directory services for authentication.
• RDP (Port 3389) – Remote desktop access.
2. Transport Layer
This layer is responsible for end-to-end communication, error recovery, and flow control between hosts. It segments data and ensures reliable or unreliable delivery depending on the protocol used.
Key Protocols:
• TCP (Transmission Control Protocol) – Connection-oriented, reliable delivery. Uses a three-way handshake (SYN → SYN-ACK → ACK) to establish connections. Guarantees data arrives in order and without errors. Used by HTTP, HTTPS, FTP, SSH, SMTP, etc.
• UDP (User Datagram Protocol) – Connectionless, unreliable (best-effort) delivery. Faster than TCP because there is no handshake or acknowledgment. Used by DNS, DHCP, SNMP, streaming media, VoIP, and TFTP.
Key Concepts:
• Port Numbers – Identify specific services or applications. Well-known ports: 0-1023. Registered ports: 1024-49151. Dynamic/ephemeral ports: 49152-65535.
• Sockets – A combination of IP address + port number that uniquely identifies a communication endpoint.
• Segmentation – TCP breaks data into segments; UDP breaks data into datagrams.
3. Internet Layer (Network Layer)
This layer handles logical addressing and routing of data packets across different networks. It determines the best path for data to travel from source to destination.
Key Protocols:
• IP (Internet Protocol) – Provides logical addressing (IP addresses) and routing. IPv4 uses 32-bit addresses (e.g., 192.168.1.1). IPv6 uses 128-bit addresses (e.g., 2001:0db8::1).
• ICMP (Internet Control Message Protocol) – Used for error reporting and diagnostics. Ping and traceroute use ICMP. Often exploited in attacks like ping floods and ICMP tunneling.
• ARP (Address Resolution Protocol) – Resolves IP addresses to MAC (hardware) addresses. Vulnerable to ARP spoofing/poisoning attacks.
• IGMP (Internet Group Management Protocol) – Manages multicast group memberships.
Key Concepts:
• Routing – Routers operate at this layer and use routing tables to forward packets.
• IP Addressing – Every device on a network has a unique IP address.
• Subnetting – Dividing a network into smaller sub-networks for efficiency and security.
• NAT (Network Address Translation) – Translates private IP addresses to public IP addresses.
4. Network Access Layer (Link Layer / Network Interface Layer)
This is the lowest layer and deals with the physical transmission of data over the network medium. It combines the functions of the OSI model's Data Link and Physical layers.
Key Concepts:
• MAC Addresses – 48-bit hardware addresses assigned to network interface cards (NICs). Unique to each device.
• Ethernet (IEEE 802.3) – The most common wired LAN technology.
• Wi-Fi (IEEE 802.11) – Wireless LAN technology.
• Switches – Operate at this layer using MAC addresses to forward frames.
• Frames – Data at this layer is encapsulated in frames that include source and destination MAC addresses.
• Physical media – Cables (copper, fiber optic), wireless signals.
How Does the TCP/IP Model Work? (Data Flow / Encapsulation)
When data is sent from one device to another, it passes through a process called encapsulation as it moves down the layers, and de-encapsulation as it moves up the layers on the receiving end.
Encapsulation Process (Sending):
1. Application Layer – User data is created (e.g., a web request). → Data
2. Transport Layer – Data is broken into segments (TCP) or datagrams (UDP). Port numbers are added. → Segment/Datagram
3. Internet Layer – Source and destination IP addresses are added. → Packet
4. Network Access Layer – Source and destination MAC addresses are added. Data is converted to bits for physical transmission. → Frame → Bits
De-encapsulation Process (Receiving):
The reverse process occurs. Headers are stripped at each layer until the original data reaches the application.
TCP/IP Model vs. OSI Model
The exam may reference both models. Here is a quick comparison:
• OSI has 7 layers: Physical, Data Link, Network, Transport, Session, Presentation, Application.
• TCP/IP has 4 layers: Network Access, Internet, Transport, Application.
• TCP/IP's Application layer maps to OSI layers 5, 6, and 7.
• TCP/IP's Internet layer maps to OSI layer 3 (Network).
• TCP/IP's Transport layer maps to OSI layer 4 (Transport).
• TCP/IP's Network Access layer maps to OSI layers 1 and 2 (Physical and Data Link).
• The OSI model is a theoretical/reference model, while TCP/IP is the practical model used in real-world networking.
Security Considerations at Each Layer
Application Layer Security:
• Use HTTPS instead of HTTP
• Use SSH instead of Telnet
• Use SFTP/SCP instead of FTP
• Implement email security (SPF, DKIM, DMARC)
• DNS security (DNSSEC) to prevent DNS poisoning
Transport Layer Security:
• TLS/SSL encrypts data in transit
• Use of firewalls to filter traffic by port number
• SYN flood attacks target the TCP three-way handshake (mitigated by SYN cookies)
Internet Layer Security:
• IPsec provides encryption and authentication at the network layer
• Firewalls and ACLs filter traffic by IP address
• Protection against IP spoofing, ICMP attacks, and ARP poisoning
• Use of VPNs for secure tunneling
Network Access Layer Security:
• MAC filtering
• 802.1X port-based network access control
• WPA3 for wireless security
• Physical security of network infrastructure
The TCP Three-Way Handshake (Critical Exam Topic)
TCP establishes a connection using a three-step process:
1. SYN – The client sends a synchronization request to the server.
2. SYN-ACK – The server acknowledges the request and sends its own synchronization request back.
3. ACK – The client acknowledges the server's response. The connection is now established.
To terminate a connection, TCP uses a four-step process: FIN → ACK → FIN → ACK.
A SYN flood attack sends many SYN packets without completing the handshake, exhausting server resources. This is a type of Denial of Service (DoS) attack.
Common Port Numbers to Memorize
• FTP Data: 20 | FTP Control: 21
• SSH/SFTP: 22
• Telnet: 23
• SMTP: 25
• DNS: 53
• DHCP: 67 (server), 68 (client)
• TFTP: 69
• HTTP: 80
• POP3: 110
• IMAP: 143
• SNMP: 161/162
• LDAP: 389
• HTTPS: 443
• LDAPS: 636
• RDP: 3389
Key Protocols Summary
• TCP – Reliable, connection-oriented, three-way handshake, guarantees delivery.
• UDP – Unreliable, connectionless, faster, no handshake, best-effort delivery.
• IP – Logical addressing and routing.
• ICMP – Error reporting, diagnostics (ping, traceroute).
• ARP – Maps IP addresses to MAC addresses.
• DNS – Translates domain names to IP addresses.
• DHCP – Automatically assigns IP addresses.
• IPsec – Provides encryption and authentication at the Internet layer. Used in VPNs.
• TLS/SSL – Provides encryption at the Transport/Application layer boundary.
Exam Tips: Answering Questions on TCP/IP Model and Protocols1. Know the Four Layers ColdBe able to identify the four layers of the TCP/IP model and what each layer does. If a question describes a function (e.g., routing, addressing, segmentation), you should immediately know which layer it belongs to.
2. Map Protocols to LayersThe exam may ask which layer a specific protocol operates at. For example: DNS operates at the Application layer, TCP operates at the Transport layer, IP operates at the Internet layer. Practice associating every protocol with its correct layer.
3. TCP vs. UDP is a Favorite Exam TopicKnow the differences between TCP and UDP. If a question mentions reliability, ordering, or handshakes, the answer is TCP. If it mentions speed, real-time streaming, or best-effort delivery, the answer is UDP. Remember which protocols use each: HTTP uses TCP; DNS primarily uses UDP (but can use TCP for zone transfers).
4. Memorize Common Port NumbersQuestions may present a scenario and expect you to identify the protocol based on its port number, or vice versa. Focus on the most common ports listed above.
5. Understand EncapsulationKnow the data units at each layer: Data → Segment/Datagram → Packet → Frame → Bits. If a question asks what a PDU (Protocol Data Unit) is called at the Transport layer, the answer is segment (TCP) or datagram (UDP).
6. Security Controls at Each LayerThe exam often asks where a specific security measure operates. For example: IPsec operates at the Internet layer. TLS/SSL operates between the Transport and Application layers. Firewalls can operate at the Transport layer (port filtering) or Internet layer (IP filtering). A packet-filtering firewall works at layer 3/4; a WAF works at the Application layer.
7. Know the Three-Way HandshakeUnderstand SYN → SYN-ACK → ACK. Know that SYN flood attacks exploit this process. If a question describes a scenario where a server is overwhelmed by half-open connections, think SYN flood / DoS attack.
8. Secure vs. Insecure ProtocolsThe exam frequently tests whether you know the secure alternative to an insecure protocol: Telnet → SSH, HTTP → HTTPS, FTP → SFTP/FTPS, SNMP v1/v2 → SNMPv3, LDAP → LDAPS.
9. Read Questions Carefully for KeywordsLook for keywords like
reliable (TCP),
connectionless (UDP),
logical addressing (Internet layer/IP),
physical addressing (Network Access layer/MAC),
name resolution (DNS),
routing (Internet layer).
10. Don't Confuse TCP/IP with OSIIf the question specifically asks about the TCP/IP model, use four layers. If it asks about the OSI model, use seven layers. Some questions may ask you to compare or map between the two models, so know the correspondence between them.
11. Understand ARP and Its VulnerabilitiesARP resolves IP to MAC addresses. ARP spoofing/poisoning is a common attack where an attacker sends fake ARP messages to associate their MAC address with a legitimate IP address, enabling man-in-the-middle attacks.
12. Think Like a Security ProfessionalWhen in doubt, choose the answer that best aligns with defense-in-depth and the principle of applying security at multiple layers. The ISC2 CC exam values understanding of how security is applied throughout the network stack, not just memorization of technical details.
