First off, welcome!

As far as a learning 'order', I could answer that in so many ways.  However, I'd suggest that your immediate desire to go deeper in TCPIP is a wise choice.  IMHO, if you don't have a good understanding of protocols, communication in general, etc, it doesn't generally allow you to be well-rounded.  Knowledge of protocols and packet / traffic analysis is a solid and fundamental skill to have in your arsenal.

As for 'first' certifications, I'd lean towards eLearn Security's eCPPT, assuming you feel comfortable enough to dive in.  That cert is nice because it lays many if the foundational blocks, and then progresses nicely, while also allowing you some hands-on practice. While I've never taken the exam for it, I've reviewed the courseware for both the older and current revision, and Armando and his team have done a great job with it.

As far as area of security that you pursue, it's a matter of preference.  If you enjoy making things work in ways they shouldn't, pentesting is fun!  If you aren't as comfortable 'modifying' things, yourself, but can analyze what others have done, then malware analysis and / or forensics may be more to your liking.  Then there's more management positions / study tracks...  Just depends on you.

Regardless, keep us informed on how you choose to progress, and good luck!

Do you have any sort of home lab? It's going to be difficult to develop serious skills and retain knowledge simply by reading books. Get VMware Workstation or ESXi and a Technet subscription and create an AD environment with various Microsoft servers. Add in *nix servers, web apps, etc. as you desire.

Also, there are tons of great resources on blogs. Check out sites like Carnal 0wnage and Iron Geek. Recreate the setup and exploit the configuration. Always try to branch out and learn about something you're not already familiar with.

Hi everyone. Wow what awesome responses, guess I'll be hanging around here for a while. Thanks for being so kind to the newbie

Hayabusa - Thanks for your input. With regards to protocols I believe what you say about knowing the way things work in depth. I guess what I should start doing is learning how everything works at a deep level before I start worrying about how to break it in any significant way, as many security targeted books and courses will let me do. Without solid foundations any knowledge I gain will always have lots of holes that need fixing.

On that note, after TCP/IP - and then I'm assuming in depth knowledge of Windows & Linux, would you recommend any particular area? If nothing comes to mind don't worry, I imagine I've just flippantly given three area's with a huge amount of information in them which will take me quite a while to get through and bring up 10's of questions I will need to continue answering on my own

With certifications I'll defiantly check out eCPPT. I don't "need" certs in the sense I'm happy in the field I am currently in, but I find I learn well with a structured framework so I'll still look into it. Pen testing sounds the most fun but who knows with experience I may learn to enjoy something else! Thank you for your awesome response.

cd1zz - Thanks for breaking it down for me like that. It's just what I was after. Helps me see what area's are really useful and what are the 'core' foundations to pen testing. Don't get me wrong, I appreciate that ALL area's of knowledge are definitely useful, but with everything some are used more than others. I'll definitely be focusing on networking and web applications (TCP/IP study ftw!)

ajohnson - Just a range of VM machines I've set up myself. Windows XP, Metasploitable / Metasploitable v2, De-ICE Challenges, OWASP BWA - the basics. I'll check out what other labs people have set up and take that on board for what I can integrate myself Thanks for your reply.

m0wgli - Thanks for the links, I'll definitely check them out!

Thanks again everyone, really appreciate the quality posts and it helps me a lot more with the directions I'll be taking (Networking / Web App focus, studying the knowledge in depth first before worrying about security concerns, then studying security aspects while testing out practical knowledge in a VM lab.)

Cheers!

The advice in this thread is really good. I would also suggest at some point that you include some hardware in your lab, so you can understand how to exploit network protocols / network hardware... it's pretty fun showing a client you own their entire network.