I still remember the moment I realized how little I actually understood about networking.

It was back in school. I had studied for weeks. I knew what TCP was. I had memorized the OSI model layers. I even felt good about it.

Then my professor asked me a simple question:

“Can you explain what actually happens during a three-way handshake, and why it matters from a security perspective?”

I answered something like: “SYN, SYN-ACK, ACK.”

Silence.

That’s not an explanation. That’s three acronyms.

And that’s the difference between memorizing networking and actually understanding it.

And since networking is one of the key domains in cybersecurity, you need to actually understand it.

Here are the 7 networking questions that expose that gap, and what a strong answer actually looks like.

‼️ Warning: CC, Security+, and CISSP relevant topic!

Why Networking Questions Are Different

Most beginners study cybersecurity tools.

Firewalls. IDS. SIEM. Endpoint protection.

But tools sit on top of networks.

If you don’t understand how networks actually work, how data moves, where it comes from, and where it goes, you don’t really understand what those tools are protecting.

And interviewers know that.

That’s why networking questions aren’t just knowledge checks.

They’re a test of how you think.

If you’re not familiar with the basics of network protocols yet, I recommend reading this first: Top 5 Most Important Network Protocols for Cybersecurity Beginners

‼️ Free Resource 🚨

If you’re just starting out in cybersecurity, I know how overwhelming it feels to figure out what to learn first.

I’ve been there.

That’s why I created a free 80-page guide covering the 10 cybersecurity concepts behind 90% of entry-level interview questions.

👉 Download it for free: decodedsecurity.gumroad.com/l/Top10_Cybersecurity_Concepts

Question 1: “What’s the difference between TCP and UDP?”

This question sounds basic.

That’s the point.

It’s a filter. If you can’t explain this clearly and connect it to security, the interviewer already knows the next questions will be harder for you.

Where beginners go wrong:

They answer with a definition.

“TCP is connection-oriented. UDP is connectionless.”

Technically correct. Completely forgettable.

What a strong answer sounds like:

Think of TCP like a phone call. Before either person says a word, you both confirm the other is there. If the call drops, you know immediately.

UDP is more like leaving a voicemail. You send it and assume it arrived. No confirmation.

That difference matters a lot in security.

Then you can simple continue with how it matters to cybersecurity:

TCP’s connection process is exactly what SYN flood attacks exploit. attackers send thousands of connection requests that they never complete, overwhelming the server with half-open connections.

UDP, because it has no handshake, gets abused in DNS amplification attacks, small requests generate massive responses, flooding a target with traffic.

I cover TCP and UDP in depth here: Top 5 Most Important Network Protocols for Cybersecurity Beginners

Question 2: “Walk me through what happens when you type google.com into your browser.”

This is the most comprehensive networking question.

It covers DNS, TCP, IP addressing, HTTP, and TLS. All in one answer.

Interviewers use it to see how deep your knowledge actually goes.

Where beginners go wrong:

“The browser looks up the IP address and loads the page.”

That’s one sentence. There are at least ten distinct steps happening.

What a strong answer sounds like:

First, your browser checks its local DNS cache. If it doesn’t know the IP address for google.com, it asks your operating system, which checks its own cache, then forwards the request to your DNS resolver.

The resolver works through the DNS hierarchy: root servers, then TLD servers for .com, then Google’s authoritative name servers, until it gets the IP address back.

Now your browser has an IP.

It uses TCP to connect with the target by sending a SYN, receiving a SYN-ACK, and confirming with an ACK.

If it’s HTTPS, a TLS handshake happens next. Certificates are exchanged, encryption is negotiated, and a secure session is established.

Then the HTTP request goes through, the server responds, and your browser renders the page.

Every single step in that process is a potential attack surface.

DNS can be poisoned. Certificates can be forged. The TCP handshake can be exploited.

This answer shows you understand where things can go wrong, not just that they usually go right.

Want to understand the DNS part of this in detail? Read this: This Is How I Explain DNS To Beginners

Do you find this article useful? Give it a like, it helps me understand what topics to cover next!

Question 3: “What is a subnet mask and why does it matter?”

Subnetting confuses more beginners than almost any other networking topic.

Not because it’s impossibly hard. But most people memorize the formula without understanding what it’s actually doing.

Where beginners go wrong:

“255.255.255.0 means a /24 subnet.”

Okay. But why? And what does that have to do with security?

What a strong answer sounds like:

Think of a city divided into neighborhoods. The subnet mask is what defines those neighborhood boundaries.

It tells a device: “These addresses are local, talk to them directly. Those addresses are outside your network, send that traffic to the router.”

A /24 subnet mask means the first 24 bits define the network. The last 8 bits identify individual devices. That gives you 254 usable host addresses within that network.

From a security perspective, this is the foundation of network segmentation.

In a well-designed network, your servers, workstations, IoT devices, and guest Wi-Fi are all on separate subnets.

Why?

Because if an attacker compromises a guest laptop, the subnet boundary limits how far they can move. They can’t simply reach your file servers. The network is divided by design.

That’s not just a networking concept. That’s the principle of least privilege applied to infrastructure.

For more on private IP addresses, public addresses, and how network segmentation works in practice, read this: Why Most Beginners Don’t Understand How Networks Actually Work

Question 4: “What’s the difference between a hub, a switch, and a router?”

This one catches people who only studied software-side security.

Network defenders need to understand how traffic flows at the hardware level. This is where attacks become visible, or invisible.

Where beginners go wrong:

Treating all three as “things that connect computers to a network.”

They have fundamentally different behaviors. And those differences change how attacks work.

What a strong answer sounds like:

A hub is the least intelligent device. It receives data on one port and broadcasts it to every other port. Every device on the network sees every packet, even packets not meant for them.

A switch is smarter. It learns which device is connected to which port by tracking MAC addresses. When data arrives, it sends it only to the correct port. Traffic is contained.

A router operates at a different level entirely. It works with IP addresses, not MAC addresses, and it connects different networks together. Your home router connects your local network to the internet.

Here’s why that matters for security.

In a hub-based network, any device can capture all traffic passively, using nothing more than a tool like Wireshark. No special access needed.

Switches replaced hubs to solve exactly this problem.

But even on switched networks, an attack called ARP poisoning can trick the switch into flooding traffic everywhere, recreating hub-like behavior for an attacker who knows what they’re doing.

Want to understand how these devices fit into the bigger picture of network architecture? I cover hubs, switches, routers, proxies, and more in detail here: What Are the Things That Keep Our Networks Alive?

Question 5: “What is a firewall and what can’t it do?”

Everyone can answer the first half.

The second half is where most beginners stop cold.

And stopping there tells the interviewer that you see security tools as magic boxes — not as components with specific, bounded functions.

Where beginners go wrong:

“A firewall filters traffic based on rules.”

True. But incomplete.

What a strong answer sounds like:

A firewall is like a security checkpoint at the entrance of a building. It inspects what’s coming in and going out based on an approved list: IP addresses, ports, protocols.

Traditional firewalls are excellent at enforcing those perimeter rules. Block all incoming traffic on port 23 (Telnet)? Easy. Allow only HTTPS on port 443? Done.

But here’s what a firewall cannot do.

It cannot inspect encrypted traffic without special capabilities. If an attacker is communicating over HTTPS port 443, the firewall sees a valid connection — it has no visibility into what’s inside.

It cannot stop insider threats. It cannot detect stolen credentials being used correctly. It has no visibility into attacks that originate from inside the network.

This is why a firewall alone is never enough.

Understanding the limits of a control is what separates a security professional from someone who just passed a certification exam.

Not all firewalls work the same way, though. Packet filtering, stateful, proxy, and next-generation firewalls each have different capabilities — and different blind spots. I break them all down here: The Complete Guide to Firewall Types: From Packet Filters to Next-Gen

Are you preparing for a cybersecurity interview or certification? Let me know in the comments! I’d love to know what topics would help you most!

Question 6: “What is the difference between IDS and IPS?”

These two tools get confused constantly.

Even by people who have been in IT for years.

Where beginners go wrong:

“IDS detects threats. IPS prevents them.”

That’s the one-liner. It’s correct but empty.

What a strong answer sounds like:

An IDS (Intrusion Detection System) is a passive observer. It watches network traffic, compares it against known patterns and signatures, and raises an alert when something looks suspicious. It sees everything. It stops nothing.

An IPS (Intrusion Prevention System) is an IDS with authority. It sits inline on the network, meaning all traffic has to pass through it. When it detects a threat, it can drop the packet, block the connection, or quarantine the source. In real time.

Think of it this way: an IDS is a security camera. An IPS is a security camera with a locked door attached to it.

Now here’s the part most beginners miss.

An IPS sounds strictly better. So why would you ever choose detection without prevention?

Because an IPS carries real risk. False positives on an IDS generate alerts. False positives on an IPS block legitimate traffic. A misconfigured IPS can take down business-critical applications.

In sensitive environments, an IDS is sometimes the right choice precisely because it cannot accidentally break things while it watches.

Knowing when not to use a control is as important as knowing what the control does.

Question 7: “What happens during a three-way handshake?”

And finally, let’s go back to the original question!

This question appears in almost every entry-level and mid-level security interview.

And answering it poorly is a red flag, because the follow-up questions about attacks build directly on top of it.

Where beginners go wrong:

“SYN, SYN-ACK, ACK.”

Three acronyms are not an explanation.

What a strong answer sounds like:

The three-way handshake is how TCP establishes a reliable connection before any data is sent. It’s the mutual agreement that both sides are ready to communicate.

Step one: the client sends a SYN packet to the server. It’s saying: “I want to connect, and here’s my starting sequence number.”

Step two: the server responds with a SYN-ACK. “Got it. I’m ready. Here’s my sequence number.”

Step three: the client sends an ACK back. “Confirmed. Let’s communicate.”

Now, both sides have synchronized sequence numbers, and a connection is established.

Here’s why this matters from an attack perspective.

A SYN flood attack exploits step one.

An attacker sends thousands of SYN packets: often using spoofed IP addresses, and never sends the final ACK.

The server keeps allocating memory and resources, waiting for confirmations that never arrive.

Eventually, it runs out of capacity to handle legitimate connections.

This is a classic denial-of-service technique.

And understanding the handshake is exactly what makes the attack make sense.

I cover TCP in detail as part of this article: Top 5 Most Important Network Protocols for Cybersecurity Beginners

Conclusion

Read through those seven questions again.

Notice what every strong answer has in common.

It’s not just technical accuracy.

Every answer connects the concept to a security implication. Every answer shows the interviewer that the candidate isn’t just reciting a textbook.

They’re thinking like someone who has to defend a real network.

That’s what the interview is actually testing.

Not whether you memorized the right definition. But whether you can look at a protocol, a device, or a tool, and immediately see where it breaks, where it gets abused, and why it matters.

If you can do that consistently, you’re not a beginner anymore.

Key Takeaways

Here’s what I want you to remember:

• Interviewers don’t want definitions. They want understanding.

• Every networking concept has a security implication. Always connect the two.

• TCP and UDP behave differently, and attackers exploit both.

• Subnetting and IP addressing are the foundation of network segmentation.

• Every security control has limits. Knowing those limits is what makes you dangerous.

• The three-way handshake isn’t trivia. It’s the foundation of connection-based attacks.

• Keep going. Foundations take time to build. But they never stop paying off.

‼️ Free Resource 🚨

If this article helped, I put together a free 80-page guide covering the 10 cybersecurity concepts behind 90% of entry-level interview questions.

It’s free. No catch.

👉 Download it here: decodedsecurity.gumroad.com/l/Top10_Cybersecurity_Concepts

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Email: erich.winkler@decodedsecurity.com

LinkedIn: Erich Winkler

Gumroad community: Decoded Security

Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!