Application Layer

How browsers and servers exchange resources using HTTP request/response cycles, what every status code category means, and why HTTPS is a fundamentally different security model — not just HTTP with encryption bolted on.

How TLS establishes an encrypted, authenticated channel before a single byte of application data flows — the handshake, certificates, certificate authorities, and why SSL is dead but its name lives on.

Three protocols share 'FTP' in their name but work completely differently under the hood — plain FTP sends credentials in cleartext, FTPS wraps FTP in TLS, and SFTP is an entirely separate protocol riding over SSH.

How SSH replaced telnet and rsh to become the universal tool for secure remote access — the key exchange that protects every session, public key authentication, and the protocol's multiplexing architecture that carries shells, file transfers, and tunnels over a single encrypted connection.

The protocol that moves email between servers has been largely unchanged since 1982 — SMTP handles message submission and relay, while authentication extensions like SPF, DKIM, and DMARC were bolted on decades later to fight spam and spoofing.

SMTP delivers mail to servers; IMAP and POP3 are how clients retrieve it. IMAP keeps mail on the server and synchronises state across devices — the modern standard. POP3 downloads and deletes — a relic of the single-device era that still sees use in specific scenarios.

Simple Network Management Protocol is how network devices expose their state — interface counters, CPU load, error rates — to monitoring systems. SNMPv1 sent community strings in cleartext; SNMPv3 finally added encryption and real authentication, but much of the industry still runs v2c.

Accurate time is invisible infrastructure — until it breaks. NTP synchronises clocks across the internet to within milliseconds, using a hierarchy of stratum levels from atomic reference clocks down to your laptop. Kerberos, TLS certificates, log correlation, and distributed databases all depend on it.

LDAP is the protocol that reads and writes directory information — the hierarchical database storing users, groups, computers, and policies in Active Directory, OpenLDAP, and every enterprise identity system. Understanding LDAP means understanding how authentication, group membership, and policy application work at the protocol level.

RADIUS centralises authentication, authorisation, and accounting for network access — VPNs, Wi-Fi, 802.1X port authentication, and dial-up all delegate credential verification to a RADIUS server. It is the reason your corporate Wi-Fi can check your Active Directory password without each access point knowing anything about your account.

Every router, switch, firewall, and server can send log messages to a central collector using syslog. The protocol defines a simple severity-and-facility taxonomy, a message format, and a transport — but the real value is what you build on top: centralised log aggregation, alerting, and the ability to reconstruct what happened across your entire infrastructure from a single pane of glass.

Telnet was the original remote terminal protocol — plain text, no encryption, no authentication beyond a username and password sent in cleartext. Understanding Telnet explains why SSH exists and why legacy network equipment still running Telnet is a critical vulnerability.

TACACS+ is Cisco's AAA protocol for controlling access to network infrastructure — routers, switches, and firewalls. Unlike RADIUS, it separates authentication, authorisation, and accounting into independent transactions and encrypts the entire payload, making it the preferred choice for device administration in enterprise environments.

Kerberos is the authentication protocol that powers Active Directory — every domain login, every file share access, every Exchange connection in a Windows enterprise uses Kerberos tickets. It solves the password transmission problem by using cryptographic tickets issued by a trusted third party, so passwords never travel across the network.

NetBIOS is the legacy name resolution and session service that Windows networks relied on before DNS took over. It still runs silently in most Windows environments, and understanding it explains why you can browse network shares by machine name on a local segment — and why it is a significant lateral movement enabler for attackers.

RTSP controls multimedia streaming sessions — it is the remote control for streams, not the stream itself. Security cameras, IP video systems, and media servers use RTSP to negotiate, start, pause, and stop streams, while the actual audio and video data flows separately over RTP.

iSCSI encapsulates SCSI storage commands inside TCP/IP packets, turning an Ethernet network into a storage fabric. It lets servers mount remote disk volumes over standard IP networks — the same way Fibre Channel SANs work, but without dedicated storage hardware.

rsync transfers only the differences between files, making it the standard tool for backups, deployments, and file synchronisation across systems. Its delta algorithm minimises bandwidth; its SSH transport makes it secure. Most production backup pipelines and deployment scripts use rsync under the hood.

The MySQL client-server protocol governs how applications talk to a MySQL or MariaDB database — the handshake, authentication, query execution, and result streaming. Understanding it matters for network security design, connection pooling, and diagnosing database connectivity issues.

iperf is the standard tool for measuring network bandwidth, latency, and packet loss between two endpoints. Before blaming the application, the database, or the cloud, you run iperf — if the raw pipe cannot sustain the required throughput, nothing else matters.

SIP is the signalling protocol that sets up, manages, and tears down voice and video calls over IP networks. It handles the phone ringing and the 'answer' — the actual audio flows separately over RTP. Every VoIP phone, every Teams call, every WebRTC session builds on the concepts SIP defined.

SMB is the Windows file sharing protocol — how Windows maps network drives, how Samba lets Linux and macOS join Windows networks, and how ransomware spreads laterally across corporate networks. SMB3 with encryption is a fundamentally different security posture than the SMB1 that WannaCry exploited.

The TDS (Tabular Data Stream) protocol powers all communication between applications and Microsoft SQL Server. Every query, every stored procedure call, every bulk insert goes through TDS. Understanding it matters for firewall design, connection security, Always On availability groups, and diagnosing authentication failures.

A VPN creates an encrypted tunnel over an untrusted network, making remote systems appear as if they are on the local network. Understanding what a VPN actually does — and what it does not — separates it from the marketing around it and frames why the underlying protocols (IPsec, SSL/TLS, WireGuard) matter.

SSL VPN uses TLS to create VPN tunnels that work through any HTTPS-capable firewall — no special ports to open, no IPsec negotiation to troubleshoot. Cisco AnyConnect, Palo Alto GlobalProtect, and Fortinet SSL VPN all use this approach for remote access, and understanding how they work explains why they succeed where IPsec struggles with NAT.

IPsec is the standard for site-to-site VPNs and many remote access deployments. It operates at the network layer, encrypting and authenticating IP packets directly — making it transparent to applications. Understanding IKEv2, ESP, tunnel vs transport mode, and the Phase 1/Phase 2 negotiation is essential for building and troubleshooting any router or firewall VPN.

Cisco DMVPN solves the hub-and-spoke scaling problem of traditional site-to-site VPNs. Instead of configuring a tunnel between every pair of sites, DMVPN uses a single hub configuration and allows spokes to dynamically discover each other and build direct spoke-to-spoke tunnels on demand — dramatically reducing configuration complexity and improving performance for multi-site networks.