Free training - skill primer

Learn Network security for free

A free, source-cited path to learning defensive network security, practiced only on a machine and network you own — this is a learning path, not a certification and not a job guarantee. Network security is learned by protecting and monitoring your own systems, never by scanning or attacking anyone else's.

What it is

Network security is the defensive skill of protecting the access, traffic, services, and infrastructure of a network through secure design, controls, and monitoring. It is framed here strictly as defense: the goal is to keep confidentiality, integrity, and availability intact for the systems on a network, not to break into anything. The core building blocks are the controls that shape and inspect traffic — firewalls that permit or deny connections, network segmentation and VLANs that keep a compromise in one area from spreading, VPNs that protect data in transit, and IDS/IPS that watch for and react to suspicious patterns. Because these concepts apply to any network on any platform, the skill is broadly transferable: the same defensive design and monitoring habits underpin security-engineering, network-security, SOC-analyst, and network-administration work across employers and vendors.

The skill breaks into a few durable areas you can practice defensively on your own equipment. Access control at the network layer: writing firewall rules with a default-deny posture so only intended traffic is allowed. Segmentation: separating systems so that trust does not flow freely across a whole network. Secure protocols: understanding why encrypted protocols protect data in transit and where plaintext ones expose it. Monitoring and traffic analysis: capturing and reading packets to understand what is actually crossing a link, which is how defenders both learn normal behavior and spot anomalies. And knowing the common attacks — not to perform them, but so that you can recognize and defend against them. Building a default-deny firewall and reading your own captured traffic on a machine you own turns these ideas from abstract to concrete without ever touching a third party.

The most important discipline in learning network security is ethical and stays strictly defensive: you build the skill by hardening and monitoring systems and networks you own, never by scanning, probing, or attacking anyone else's. This primer sequences free, official-first-leaning resources — including a formal web-security learning lab that runs only against its own sandbox and vendor documentation for a packet analyzer — and gives you a first hands-on exercise that configures a host firewall and captures your own loopback traffic. Nothing here involves scanning or attacking any system, host, or network you do not control.

Why it matters

Network security is the shared baseline beneath security-engineering, network-security, SOC-analyst, and network-administration roles, because protecting a network's access, traffic, and services underlies nearly every decision in those fields. Firewalls, segmentation, secure protocols, and monitoring transfer across platforms and employers, so the defensive foundation compounds rather than tying you to one vendor's box.

The free path, in order

  1. Ground the vocabulary and the CIA framing. Learn precise terms (network, firewall, segmentation, IDS/IPS, VPN) from NIST's glossary and frame every control by which part of confidentiality, integrity, or availability it protects. Accurate vocabulary keeps your reasoning defensible.
  2. Learn firewalls and default-deny. Study how firewalls permit and deny traffic and why a default-deny posture (block everything, then allow only what is needed) is the safer baseline. Professor Messer's free Security+/Network+ videos walk these concepts clearly.
  3. Understand segmentation and secure protocols. Learn how VLANs and segmentation limit how far a compromise can spread, and why encrypted protocols protect data in transit where plaintext ones expose it. Map each idea to the defensive property it preserves.
  4. Read traffic with a packet analyzer. Learn to capture and read packets with Wireshark or tcpdump so you understand what actually crosses a link. Practice only on your own machine's traffic — this is how defenders learn normal behavior and spot anomalies.
  5. Study attacks in order to defend. Work through PortSwigger's free Web Security Academy, an attack-technique training platform (SQL injection, XSS, CSRF and more) that runs entirely inside its own legal sandbox. You practice the offensive techniques on their sandbox only in order to understand what defenders must protect against — never against any real or third-party system.
  6. Harden your own machine and verify. Configure a host firewall with default-deny on a machine you own, then verify with your own captured traffic that only intended connections get through. Change one rule at a time so you can tell what each rule does.

Best free resources

Every resource is free and dated. Official sources are labeled; vetted community resources are labeled separately. Verify a resource is still free on its own page before relying on it.

Try it (free, safe, hands-on)

Default-deny host firewall plus your own traffic capture

Practice two core defensive moves on a machine you own: configure a host firewall with a default-deny posture, and capture and read your own loopback traffic so you can see what a rule actually allows. Entirely defensive, entirely on your own system.

You will need: Your own Linux machine or a Linux VM you created (snapshot it first if it is a VM), with the built-in ufw firewall and tcpdump; A terminal on that machine (free, already present); Optionally Wireshark on your own machine to read the capture visually

  1. Snapshot your VM first if you are using one. Check the current firewall state with 'sudo ufw status' so you know your baseline before changing anything.
  2. Set a default-deny posture: 'sudo ufw default deny incoming' and 'sudo ufw default allow outgoing', then explicitly allow only what you need (for example 'sudo ufw allow 22' if you use SSH on this machine you own). Enable it with 'sudo ufw enable'.
  3. Confirm your ruleset with 'sudo ufw status verbose' and read it back — you should see incoming denied by default with only your explicit allow rules listed.
  4. Capture your own loopback traffic: in one terminal run 'sudo tcpdump -i lo -n', and in another generate traffic to yourself with 'ping -c 3 127.0.0.1'. Watch the packets appear in the capture.
  5. Read what you captured: identify the request and reply packets for your own ping and note the addresses and protocol. You are observing only traffic your own machine generated to itself.
  6. Clean up: reset the firewall with 'sudo ufw reset' if you want your baseline back, stop tcpdump, or simply revert your VM snapshot. Nothing here touched any host but your own.

What you should see: A host firewall you configured with a default-deny incoming posture and a readable ruleset, plus a packet capture of your own loopback ping showing the request and reply — both produced on a machine you own by commands you ran yourself.

Safety: This exercise is strictly defensive and stays entirely on a machine and network you own. Never scan, probe, or capture traffic on any network, host, or system you do not control, and capture only your own machine's traffic (loopback or your own interface). Use the PortSwigger labs only against their own provided sandbox.

Where this skill gets used

Certifications that test it: comptia-security-plus, isc2-sscp-systems-security-certified-practitioner, comptia-cysa-plus, comptia-pentest-plus, comptia-network-plus, cisco-ccna.

Roles that need it: Security engineer, Network security engineer, SOC analyst, Network administrator.

Sources

Every resource is free and dated; official-first, community clearly labeled. A skill primer is a free learning path, not a certification, not professional experience, and not a job or salary guarantee. This primer is strictly defensive; labs run only on a machine and network you own or the resources' own sandboxes. Born draft, pending human review.

All skill primers