Lesson 3.1: Network Fundamentals & Attack Surface | AP Cybersecurity
Topic 3.1: Network Fundamentals & Attack Surface
How data moves through networks, why every layer creates attack opportunities, and how understanding protocols and ports is the foundation for everything in network security.
- 3.1.1 — Learning Objectives(3 min)
- 3.1.2 — Why Networks Create Attack Surface(7 min)
- 3.1.3 — Essential Vocabulary & Exam Tips(10 min)
- 3.1.4 — The OSI Model: Seven Layers In Depth(12 min)
- 3.1.5 — TCP/IP, Ports & Protocols(10 min)
- 3.1.6 — Encapsulation & How Packets Actually Move(8 min)
- 3.1.7 — Real-World Case Studies(8 min)
- 3.1.8 — Defense Strategies(6 min)
- 3.1.9 — Worked Examples: Predict First(5 min)
- 3.1.10 — AP Exam Strategy(5 min)
- 3.1.11 — Frequently Asked Questions(3 min)
13.1.1 — Learning Objectives
By the end of this lesson, you will be able to:
- Name all seven OSI layers in order, describe each layer’s function, and identify the primary protocols and attack vectors associated with each layer
- Explain the TCP/IP four-layer model and map its layers to the corresponding OSI layers
- Identify at least 12 critical port numbers, their associated services, and the security risk each poses if left open unnecessarily
- Distinguish between TCP and UDP, explain when each is used, and identify the security implications of each protocol
- Explain encapsulation and describe how headers are added at each OSI layer as data travels from sender to receiver
- Define attack surface in the context of network security and apply attack surface reduction principles to Vantex Financial Group’s network
- Identify the OSI layer at which specific attacks and controls operate (e.g., ARP attacks at Layer 2, IP spoofing at Layer 3, TLS at Layer 4–5)
- Recognize the three most common AP exam traps on OSI model and protocol questions
23.1.2 — Why Networks Create Attack Surface
Every network communication protocol was designed to enable functionality — not to prevent attacks. HTTP was designed to transfer hypertext efficiently; the fact that it transmits credentials in plaintext was not a primary concern in 1991. DNS was designed to translate domain names to IP addresses; the fact that those responses can be forged was an accepted risk. TCP was designed to guarantee reliable delivery; the fact that its connection handshake can be exploited for denial-of-service was not fully anticipated.
This historical context matters because it explains why network security is hard: the protocols that run the internet were built for functionality, then retrofitted with security (HTTPS over HTTP, SFTP over FTP, SSH over Telnet). Every protocol is a potential attack vector. Every open port is an entry point. Every connected device is a node that could be compromised. The cumulative set of all these potential entry points is the network attack surface.
The Vantex Network Attack Surface
Vantex Financial Group’s primary data center runs approximately 847 servers, 2,400 endpoint devices, 14 network switches, 6 routers, and 3 internet-facing connections. Each of these represents part of the attack surface:
Internet-Facing Services
Every service accessible from the public internet is part of the external attack surface. Vantex’s online banking portal (HTTPS/443), client API endpoints, and email server (SMTP/IMAP) all accept connections from anywhere in the world.
Each externally-facing service must be hardened, patched, and monitored continuously because attackers can reach it without any prior access to the network.
Internal Network Services
Services accessible only within the internal network still contribute to the attack surface — once an attacker gains any foothold (phishing, supply chain, VPN credential theft), every internal service is a potential target.
Vantex’s transaction processing database, Active Directory, and internal file servers are internal-only but represent critical internal attack surface. Segmentation (covered in 3.4) limits which internal services an attacker can reach.
Open Ports
Every open port on every device is an attack vector. A server running SSH (port 22), RDP (port 3389), and a legacy FTP service (port 21) simultaneously has three entry points instead of one.
Vantex’s port hardening policy requires monthly audits of all listening ports. Any port not actively required by a documented business function is closed immediately. This is the network equivalent of least privilege.
The key insight: attack surface cannot be reduced to zero, but it can and must be minimized. Every unnecessary open port, every unused service, every unpatched protocol implementation expands the attack surface without adding business value. Network security starts with understanding the network at the protocol level — which is why the OSI model is not just academic theory, but a practical framework for identifying where attacks can enter and where controls should be placed.
Which definition of “attack surface” is MOST accurate?
33.1.3 — Essential Vocabulary & Exam Tips
| Term | Definition | Exam Trap / Critical Distinction |
|---|---|---|
| OSI Model | The Open Systems Interconnection model — a seven-layer framework that standardizes how different systems communicate over a network. Each layer has defined responsibilities and interacts only with the layers directly above and below it. | TRAP The OSI model has 7 layers. The TCP/IP model has 4. Do not confuse them. OSI Layer 3 = Network (IP). OSI Layer 4 = Transport (TCP/UDP). AP exam questions frequently ask “at which OSI layer does X occur?” |
| TCP (Transmission Control Protocol) | A connection-oriented Layer 4 protocol that guarantees reliable, ordered delivery of data through acknowledgments, sequencing, and retransmission of lost packets. Establishes connections via three-way handshake (SYN, SYN-ACK, ACK). | KEY TCP = reliable but slower. Used for HTTP(S), SSH, FTP, SMTP — applications where every byte must arrive correctly. The three-way handshake is the target of SYN flood DoS attacks (covered in 3.2). |
| UDP (User Datagram Protocol) | A connectionless Layer 4 protocol that sends data without establishing a connection or guaranteeing delivery. Faster than TCP but unreliable — packets may arrive out of order or not at all. | KEY UDP = fast but unreliable. Used for DNS (53), DHCP (67/68), streaming, VoIP, online gaming. DNS over UDP is the target of DNS amplification attacks. UDP has no handshake, so it is also used for UDP flood DoS attacks. |
| Port | A 16-bit number (0–65,535) identifying a specific process or service on a host. Well-known ports (0–1,023) are reserved for standard services. Registered ports (1,024–49,151) are assigned by IANA. Dynamic/ephemeral ports (49,152–65,535) are used for client-side connections. | TRAP A port number alone does not guarantee what service is running on it. An attacker can run an SSH server on port 80 or an HTTP server on port 22. Port numbers are conventions, not enforcement mechanisms. Port scanning tells you what is open, not what is running. |
| Protocol | A standardized set of rules governing how data is formatted, transmitted, and received between two systems. Protocols define both the structure of communications and the expected sequence of messages. | NOTE Every protocol was designed for functionality first. Security was added later (HTTPS = HTTP + TLS; SFTP = SSH + FTP). When the exam asks about a protocol’s security weakness, look for: unencrypted transmission, lack of authentication, or spoofable fields. |
| IP Address | A logical address assigned to a network interface, used at OSI Layer 3 for routing packets across networks. IPv4 uses 32-bit addresses (e.g., 192.168.1.1). IPv6 uses 128-bit addresses. | KEY IP addresses are Layer 3 (Network layer). MAC addresses are Layer 2 (Data Link layer). A question about IP address assignment is asking about Layer 3. A question about MAC address assignment or ARP is asking about Layer 2. |
| MAC Address | A hardware identifier assigned to a network interface card (NIC), used at OSI Layer 2 for communication within the same network segment. Format: six pairs of hexadecimal digits (e.g., 00:1A:2B:3C:4D:5E). The first three pairs identify the manufacturer (OUI). | KEY MAC addresses are Layer 2. They are used for communication on the local network segment. Routers strip MAC addresses when forwarding packets between networks — IP addresses survive routing but MAC addresses change at each hop. MAC spoofing attacks (Layer 2) differ from IP spoofing attacks (Layer 3). |
| Packet | A unit of data transmitted over a network. Contains a header (routing/control information) and a payload (the actual data). At different OSI layers, the encapsulated unit has different names: bit (L1), frame (L2), packet (L3), segment (L4), data (L5-7). | TRAP The correct term for data at each layer: L1=bits, L2=frames, L3=packets, L4=segments. “Packet” is commonly used generically for any unit of network data, but on the AP exam, the correct L3-specific term is packet and the L2-specific term is frame. |
| Encapsulation | The process of adding protocol headers (and sometimes trailers) as data moves down the OSI stack from sender to receiver. Each layer wraps the data from the layer above with its own header, treating the entire previous layer’s output as payload. | NOTE Encapsulation adds headers going down the OSI stack (sender side). De-encapsulation removes headers going up the stack (receiver side). Each layer only reads and processes its own header — it treats the content of higher layers as opaque payload. |
| DNS (Domain Name System) | A distributed hierarchical naming system that translates human-readable domain names (apcsexamprep.com) into IP addresses (93.184.216.34). Operates at Layer 7 (Application) and uses UDP port 53 for queries (TCP for larger responses and zone transfers). | KEY DNS uses UDP port 53. DNS is unauthenticated by default — responses can be forged (DNS spoofing/cache poisoning). DNSSEC adds cryptographic verification. DNS is one of the most attacked protocols because it is universally trusted and often not inspected by firewalls. |
Match each network zone to the correct OSI layer it primarily operates at.
43.1.4 — The OSI Model: Seven Layers In Depth
The OSI model is the most important conceptual framework in network security. Every network attack, every network control, and every protocol operates at a specific OSI layer. Understanding which layer is involved in a scenario determines which device handles the traffic, which protocol is responsible, and which controls are appropriate.
OSI vs. TCP/IP: The Model Comparison
The OSI model is the conceptual standard used in most security discussions, textbooks, and the AP exam. The TCP/IP model (also called the Internet model or DoD model) is what the actual internet is built on. Understanding both — and how they map to each other — is essential for AP exam questions that reference either model:
| TCP/IP Layer | Equivalent OSI Layers | Key Protocols | AP Exam Note |
|---|---|---|---|
| Application | OSI Layers 5, 6, 7 (Session + Presentation + Application) | HTTP, HTTPS, DNS, FTP, SMTP, SSH, Telnet, DHCP, SNMP | TCP/IP combines 3 OSI layers into one. When the exam says “Application layer” in a TCP/IP context, it covers all three OSI upper layers. |
| Transport | OSI Layer 4 (Transport) | TCP, UDP, QUIC | 1:1 mapping. TCP and UDP are here in both models. Port numbers live here. |
| Internet | OSI Layer 3 (Network) | IPv4, IPv6, ICMP, ARP (sometimes) | Called “Internet” in TCP/IP, “Network” in OSI. IP addressing and routing happen here. |
| Network Access | OSI Layers 1 & 2 (Physical + Data Link) | Ethernet, Wi-Fi (802.11), MAC addressing | TCP/IP combines Physical and Data Link. MAC addresses and switches live here. |
Which are valid components of a network topology diagram?
I. Physical devices (routers, switches, firewalls, servers)
II. Logical connections (VLANs, subnets, IP ranges)
III. Security boundaries (DMZ, internal zones, trust levels)
53.1.5 — TCP/IP, Ports & Protocols: The Security-Critical Reference
3.1.5a — Critical Ports Every Security Professional Must Know
Port numbers are the foundation of firewall rule writing, network traffic analysis, and attack identification. An analyst who sees unusual traffic on port 3389 from an external IP immediately knows this is RDP traffic — a potential remote desktop attack. An analyst seeing large outbound transfers on port 21 knows FTP is being used, which transmits credentials in plaintext.
| Port | Protocol | Service | Security Significance | Risk Level | Vantex Policy |
|---|---|---|---|---|---|
| 20/21 | TCP | FTP (File Transfer Protocol) | Transmits all data including credentials in plaintext. A network sniffer captures every username, password, and file transferred. Completely insecure on untrusted networks. | HIGH | Blocked at perimeter. SFTP (port 22) used for all file transfers requiring encryption. |
| 22 | TCP | SSH (Secure Shell) | Encrypted remote administration. Secure replacement for Telnet. Brute-force attacks are common against internet-facing SSH. Key-based authentication significantly stronger than passwords. | MEDIUM | Restricted to management VLAN only. Key-based auth enforced; password auth disabled. Port changed from 22 on internet-facing jump hosts. |
| 23 | TCP | Telnet | Unencrypted remote terminal access. Credentials, commands, and output all transmitted in plaintext. Should never be used on any production network. A legacy protocol with no legitimate modern use case. | HIGH | Blocked everywhere. Any device with port 23 open is flagged as critical vulnerability in monthly port audits. |
| 25 | TCP | SMTP (Email Sending) | Simple Mail Transfer Protocol. Used to send email between servers. Historically no authentication required — any server could send email claiming to be any sender. Open SMTP relays are exploited to send spam. | MEDIUM | Outbound SMTP restricted to authorized mail servers only. SPF, DKIM, DMARC records published to prevent spoofing. |
| 53 | UDP/TCP | DNS (Domain Name System) | Translates domain names to IP addresses. Responses are unauthenticated by default — can be forged (DNS spoofing). DNS amplification attacks use DNS servers to amplify DDoS traffic. Critical infrastructure for all internet-connected services. | HIGH | Internal DNS servers monitor for unusual query volumes. DNSSEC enabled on external zones. Outbound DNS restricted to authorized resolvers. |
| 80 | TCP | HTTP | Unencrypted web traffic. Any data including login credentials transmitted over HTTP is visible to anyone on the network path. Should be redirected to HTTPS. HTTP is still used for initial connections before TLS upgrade. | HIGH | HTTP automatically redirects to HTTPS. Port 80 only used for redirect; no content served over plain HTTP. |
| 443 | TCP | HTTPS | HTTP secured with TLS. Encrypts web traffic between client and server. The standard for all web communication involving sensitive data. TLS version and cipher suite selection affects security level. | LOW | All web services served over HTTPS only. TLS 1.3 required; TLS 1.0/1.1 disabled. HSTS headers enforced. |
| 445 | TCP | SMB (Windows File Sharing) | Server Message Block protocol for Windows file and printer sharing. Exploited by WannaCry (EternalBlue exploit). Should never be exposed to the internet. Internal use requires careful patch management. | HIGH | Blocked at perimeter firewall. Internal SMB monitored. SMBv1 disabled on all systems (SMBv1 is the version vulnerable to EternalBlue). |
| 3389 | TCP | RDP (Remote Desktop Protocol) | Microsoft Remote Desktop. High-value attacker target for gaining graphical desktop access to Windows systems. Brute-force attacks extremely common. BlueKeep (CVE-2019-0708) allowed unauthenticated RCE via RDP. Should never be exposed directly to the internet. | HIGH | Blocked at perimeter. Internal RDP only via VPN + MFA. Network-level authentication (NLA) enforced. All RDP sessions logged to SIEM. |
| 143/993 | TCP | IMAP/IMAPS (Email Retrieval) | Internet Message Access Protocol for retrieving email. Port 143 = unencrypted. Port 993 = encrypted (IMAPS). Credential brute-force attacks target email accounts for business email compromise (BEC) attacks. | MEDIUM | Only IMAPS (993) enabled. MFA required for all email access. Unusual login location/time triggers UEBA alert. |
3.1.5b — TCP vs. UDP: Security Implications
The choice between TCP and UDP is not arbitrary — it reflects a fundamental tradeoff between reliability and speed, with significant security implications for each. Understanding when each protocol is used tells you what attack vectors are relevant.
| Characteristic | TCP | UDP |
|---|---|---|
| Connection Model | Connection-oriented. Three-way handshake (SYN → SYN-ACK → ACK) establishes a connection before data transfer. Both sides must agree to communicate. | Connectionless. No handshake. Data is sent immediately without any prior agreement between sender and receiver. |
| Reliability | Guaranteed delivery. Lost packets are retransmitted. Packets are reassembled in order. Every byte arrives correctly or the sender is notified. | Best-effort delivery. Lost packets are not retransmitted. Packets may arrive out of order. No delivery guarantee. |
| Use Cases | Any application where data integrity is critical: web (HTTP/HTTPS), email (SMTP/IMAP), file transfer (FTP/SFTP), remote access (SSH/RDP), databases | Applications where speed matters more than perfection: DNS queries, DHCP, streaming media, VoIP, online gaming, SNMP monitoring |
| Key Attack Vectors | SYN flood (exhaust server’s half-open connection table), TCP session hijacking (forge sequence numbers to inject data), TCP RST attacks (terminate legitimate connections) | UDP flood (overwhelm with high-volume UDP packets), DNS amplification (small UDP DNS query returns large response, amplifying DoS traffic), DHCP starvation (exhaust DHCP address pool) |
| Header Size | Larger header (20–60 bytes) due to sequence numbers, acknowledgment numbers, and control flags | Smaller header (8 bytes): source port, destination port, length, checksum. Minimal overhead. |
Complete the network addressing fundamentals.
Every device on the internet is identified by a unique address (e.g., 192.168.1.50).
Every network interface card has a unique hardware identifier called a address (e.g., AA:BB:CC:DD:EE:FF).
A web server listens on 443 for HTTPS connections.
TCP and UDP are examples of transport layer s.
The network 10.20.0.0/16 defines a containing 65,534 usable addresses.
63.1.6 — Encapsulation: How Data Actually Travels
Encapsulation is the process by which each OSI layer wraps data from the layer above with its own header (and sometimes trailer), treating the upper layer’s entire output as a payload to be delivered. Understanding encapsulation explains why network attacks at one layer can affect all higher layers — and why defense-in-depth at the network level requires controls at multiple layers simultaneously.
Encapsulation as Data Moves Down the OSI Stack (Sender Side)
Why encapsulation matters for security: Each header in the encapsulation chain contains information that can be forged, inspected, or filtered. A firewall that only inspects Layer 3 IP headers cannot see the TCP port in the Layer 4 header or the HTTP request in the Layer 7 payload. An attacker who can manipulate the IP header (Layer 3) can set arbitrary source IP addresses (IP spoofing). A deep packet inspection (DPI) device that inspects all layers can detect malicious payloads in Layer 7 but introduces processing latency.
De-encapsulation on the receiver side: When the packet arrives at the destination, the process reverses. The physical layer converts signals to bits; the Data Link layer strips the Ethernet frame and verifies the Frame Check Sequence (FCS) for corruption; the Network layer strips the IP header and routes to the appropriate local process; the Transport layer strips the TCP header, handles reassembly of segments, and sends data to the correct application by port number; the Application layer receives the original data.
The Vantex HTTPS example: When a Vantex client accesses the online banking portal, their browser sends an HTTPS request. The data is encrypted by TLS (Presentation/Transport layer), wrapped in a TCP segment with destination port 443 (Transport), wrapped in an IP packet with the Vantex server’s IP as destination (Network), wrapped in an Ethernet frame with the client’s router’s MAC address as the Layer 2 destination (Data Link), and transmitted as electrical signals or radio waves (Physical). The Vantex perimeter firewall reads the IP header (Layer 3) to verify the destination is legitimate, and reads the TCP header (Layer 4) to confirm destination port 443 is permitted. The TLS payload (Layer 5/6) is not inspected at the firewall — it is decrypted and inspected only by the Vantex web application server.
This traffic pattern most likely indicates:
73.1.7 — Real-World Case Studies: Protocol Vulnerabilities in Practice
What happened: On October 21, 2016, attackers used a botnet of over 100,000 IoT devices (cameras, DVRs, routers with default credentials) running the Mirai malware to launch a massive DDoS attack against Dyn, a major DNS provider. The attack flooded Dyn’s DNS infrastructure with UDP traffic on port 53, preventing legitimate DNS resolution.
Impact: When Dyn’s DNS servers went offline, websites that relied on Dyn for DNS resolution became unreachable. Major services including Twitter, Netflix, Reddit, CNN, PayPal, Spotify, and hundreds of others were inaccessible for hours. The attack demonstrated that DNS — the phone book of the internet — is critical infrastructure whose availability underpins nearly all other internet services.
Why DNS? DNS uses UDP (port 53), which is connectionless. Every device on the internet queries DNS continuously. The protocol was designed in 1983 with no authentication and no built-in DDoS resistance. A sufficiently large botnet can overwhelm any DNS server with valid-looking but empty DNS queries, and the server must process each one before determining it is garbage.
OSI layer analysis: The attack operated at Layer 4 (Transport — UDP flooding) and Layer 7 (Application — DNS query flood). Defenses include rate limiting at Layer 4 (limit UDP query rate per source IP), anycast routing at Layer 3 (distribute DNS infrastructure globally so no single point is overwhelmed), and DNS-layer filtering (distinguish legitimate query patterns from attack patterns).
Network security lesson: Protocol infrastructure is attack surface. DNS, NTP, BGP, and other foundational protocols were built for reliability, not for adversarial environments. Organizations that depend on third-party DNS providers should configure secondary DNS providers and understand their own DNS dependencies.
What happened: WannaCry ransomware spread globally in May 2017 by exploiting EternalBlue — an NSA-developed exploit for a vulnerability in the Windows SMB protocol (port 445). It did not require any user interaction: it scanned for computers with port 445 exposed, exploited the vulnerability, encrypted files, and automatically spread to other accessible systems.
Scale: 230,000+ systems in 150 countries were infected within hours. The UK’s National Health Service was particularly devastated — hospitals cancelled appointments, ambulances were diverted, and critical patient data was inaccessible. Total estimated damage: $4–8 billion.
The protocol vulnerability: SMBv1 (Server Message Block version 1, running on TCP port 445) had a buffer overflow vulnerability in its handling of malformed packets. Microsoft had released a patch (MS17-010) two months before WannaCry, but many organizations had not applied it — particularly for legacy systems that could not easily be patched.
Attack surface reduction lesson: Port 445 (SMBv1) should never be exposed to the internet. Organizations that had firewalled port 445 at the perimeter and disabled SMBv1 internally were largely protected. Attack surface reduction — closing unnecessary ports and disabling vulnerable protocol versions — would have stopped WannaCry completely regardless of whether the patch was applied.
Scenario: Vantex’s monthly port audit scans all 847 servers and identifies three unexpected findings:
Finding 1: A development server has port 23 (Telnet) open. Investigation reveals a developer enabled it temporarily to troubleshoot a legacy application and never disabled it. The server is on the internal network but is accessible from the employee VLAN.
Finding 2: An externally-facing application server is responding on port 8080 (HTTP alternate port) in addition to port 443 (HTTPS). Port 8080 is serving the same application over unencrypted HTTP. The HTTPS configuration accidentally did not disable the HTTP fallback.
Finding 3: Three servers show port 445 (SMB) open and accessible from the guest Wi-Fi VLAN. These are internal file servers that were migrated to a new segment six months ago — the ACL rules were updated to allow access from the new segment but the guest VLAN restriction was never added.
Risk analysis: Finding 1: Telnet transmits credentials in plaintext — any employee on the same VLAN can capture the session. Finding 2: The HTTP service on port 8080 bypasses all TLS protections and allows credential interception. Finding 3: Guest Wi-Fi users (visitors, contractors) can access internal SMB file servers, potentially exploiting SMB vulnerabilities or accessing confidential files.
Remediation: Disable Telnet immediately (replace with SSH if remote access is needed). Disable port 8080; serve only HTTPS. Add ACL rule explicitly denying guest VLAN access to port 445 on file servers. All three are attack surface reduction actions.
Select ALL actions that reduce the attack surface.
83.1.8 — Defense Strategies: Network Hardening Fundamentals
| Defense | What It Does | Vantex Implementation |
|---|---|---|
| Port Hardening (Service Minimization) | Close all ports that are not explicitly required by an active business function. Every open port is potential attack surface; no open port should exist without documented justification. | Monthly automated port scan of all 847 servers. Any open port not on the approved service list triggers a P2 security ticket requiring closure within 5 business days or documented exception approval. |
| Disable Insecure Protocol Versions | Disable deprecated protocol versions that contain known vulnerabilities: TLS 1.0/1.1 (replaced by TLS 1.2/1.3), SSLv3, SMBv1 (EternalBlue), Telnet, FTP. Use the secure replacement protocol. | SMBv1 disabled on all Windows systems via Group Policy. TLS 1.0/1.1 disabled on all web services. Telnet blocked at network layer. FTP blocked; SFTP used for file transfer. |
| Replace Cleartext Protocols | Substitute encrypted alternatives for any protocol that transmits data in plaintext: HTTP → HTTPS, Telnet → SSH, FTP → SFTP, IMAP → IMAPS, SNMP v1/v2 → SNMP v3. | All administrative access via SSH only. All web traffic HTTPS only with HSTS. All file transfer via SFTP. SNMP v3 only on all network devices (v1/v2 disabled). |
| DNS Security (DNSSEC) | DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses have not been tampered with. Prevents DNS spoofing and cache poisoning attacks that redirect users to attacker-controlled servers. | DNSSEC enabled and signed on all Vantex-owned DNS zones. Internal DNS resolvers validate DNSSEC signatures before returning results. DNS response rate limiting (RRL) configured to prevent DNS amplification from Vantex servers. |
| IP Address Management (IPAM) | Centrally track and manage all IP addresses, DHCP scopes, and DNS entries. Provides visibility into what is connected to the network and enables rapid identification of unauthorized devices. | All IP assignments tracked in centralized IPAM. Rogue DHCP detection alerts on unauthorized DHCP servers. IP address requests from unrecognized MAC addresses trigger security review. |
| Network Monitoring & Baseline | Establish baseline traffic patterns for the network and alert on deviations: unusual port usage, unexpected protocols, abnormal traffic volumes, new connections to unusual destinations. | NetFlow data collected from all routers and switches. Baseline established for normal traffic patterns per VLAN. Deviations of greater than 3 standard deviations trigger SIEM alert. Unexpected outbound connections to foreign IPs trigger immediate investigation. |
Match each service to its transport protocol.
93.1.9 — Worked Examples: Predict First, Then Classify
Map Each Action to an OSI Layer
Action 1 (port scanning via TCP SYN): TCP operates at Layer 4 (Transport). Port numbers are Layer 4 identifiers. This is a Layer 4 attack/technique.
Action 2 (ARP poisoning): ARP operates at Layer 2 (Data Link). MAC addresses are Layer 2 identifiers. This is a Layer 2 attack.
Action 3 (SQL injection via HTTP): HTTP operates at Layer 7 (Application). SQL injection is delivered through the application-layer HTTP request. This is a Layer 7 attack.
Identify the Control at Each Layer
Layer 4 (port scan): Firewall rules blocking inbound TCP SYN on non-approved ports; TCP SYN rate limiting; IDS signature for port scan detection.
Layer 2 (ARP poison): Dynamic ARP Inspection (DAI) on managed switches; static ARP entries for critical devices; VLAN segmentation limiting ARP broadcast domain.
Layer 7 (SQL injection): Input validation; parameterized queries; WAF rules detecting SQL injection patterns.
Action 1 = Layer 4, Action 2 = Layer 2, Action 3 = Layer 7. Each requires a different control at a different layer. This is why defense-in-depth at the network level requires controls at multiple OSI layers simultaneously. A firewall that only inspects Layer 3 IP headers (perimeter firewall) would not detect the Layer 2 ARP poisoning (same network segment) or the Layer 7 SQL injection (inside an allowed HTTPS connection).
Evaluate Each Service
Port 5432 (PostgreSQL): Required for database function. Should only be accessible from application servers and DBA workstations, not the management VLAN. Restrict with ACL. Keep open.
Port 22 (SSH): Required for remote administration. Should only be accessible from the management VLAN. Restrict with ACL. Keep open but constrained.
Port 161 (SNMP v2): SNMP v2 uses community strings (essentially plaintext passwords) and is vulnerable to interception. Upgrade to SNMP v3 (authentication + encryption) or disable and use a different monitoring approach. Medium risk if kept, but v2 should be replaced.
Port 8080 (HTTP test interface): No documented business function. Development artifact. Should not be running on a production database server. Disable immediately.
Close port 8080 immediately (no business justification, unencrypted). Replace SNMP v2 (161) with SNMP v3 or disable monitoring on this port. Restrict port 5432 via ACL to application server VLAN and DBA VLAN only (not management VLAN). Restrict port 22 via ACL to management VLAN only. This is attack surface reduction in practice: every port decision is justified by a specific business requirement, and ports without justification are closed.
Identify the error in this reasoning.
103.1.10 — AP Exam Strategy: Network Fundamentals Questions
Strategy 1: OSI Layer Identification
Every network question can be mapped to an OSI layer. Memorize the key associations:
- Layer 2: MAC addresses, ARP, switches, Ethernet frames, VLANs
- Layer 3: IP addresses, routing, routers, ICMP, IP spoofing
- Layer 4: TCP/UDP, port numbers, stateful firewalls, SYN flood
- Layer 7: HTTP/HTTPS, DNS, FTP, SSH, application content
- TLS is often placed at Layer 5/6 but test questions may accept Layer 4 for transport-level encryption
Strategy 2: Protocol Security Flags
When the exam names a protocol, immediately recall its security status:
- Plaintext (insecure): HTTP, FTP, Telnet, SMTP, SNMP v1/v2, IMAP (port 143)
- Encrypted (secure): HTTPS, SFTP, SSH, SMTPS, SNMPv3, IMAPS (port 993)
- Spoofable: DNS (no auth by default), ARP (no auth), IP source address
- High-risk ports: 21 (FTP), 23 (Telnet), 3389 (RDP), 445 (SMB), 53 (DNS amplification)
Strategy 3: The Three Fatal Traps
- Trap 1 — TCP/IP has 7 layers: Wrong. TCP/IP has 4 layers. OSI has 7. When the exam asks about layers, determine which model the question uses.
- Trap 2 — ARP is Layer 3: Wrong. ARP is Layer 2. It maps IP addresses (Layer 3) to MAC addresses (Layer 2), but it operates on the Data Link layer and is confined to the local segment.
- Trap 3 — IP address is Layer 2: Wrong. IP = Layer 3. MAC = Layer 2. Routers work at Layer 3; switches work at Layer 2.
Strategy 4: Attack-to-Layer Mapping
When the exam describes an attack, identify the layer to identify the control:
- ARP poisoning → Layer 2 → Dynamic ARP Inspection
- IP spoofing → Layer 3 → ingress filtering, uRPF
- SYN flood → Layer 4 → SYN cookies, rate limiting
- DNS spoofing → Layer 7 → DNSSEC
- SQL injection → Layer 7 → WAF, parameterized queries
- Port scanning → Layer 4 → firewall, IDS
The system that translates human-readable domain names to IP addresses is called .
DNS queries typically use UDP port .
The “crossroads.com” part of the URL is called the name.
DNS resolves dispatch.crossroads.com to a numeric that the app uses to connect.
?3.1.11 — Frequently Asked Questions
Q: Why does it matter which OSI layer an attack occurs at?
The OSI layer determines which devices handle the traffic, which protocols are involved, and which security controls can address the attack. A Layer 2 ARP poisoning attack occurs on the local network segment and is handled by switches — a perimeter firewall at Layer 3 cannot detect or prevent it because ARP traffic does not cross routers. A Layer 7 SQL injection occurs inside an application-layer HTTP request that appears completely legitimate at Layers 2, 3, and 4 — only a Layer 7 WAF or the application itself can detect it. Knowing the layer immediately tells you which control is needed and where it must be placed in the network architecture.
Q: What is the difference between TCP and UDP in terms of security risk?
TCP’s connection-oriented design (three-way handshake) provides a verifiable record that a connection was established, making TCP session hijacking possible but also making TCP flows easier to track and audit. The handshake can be exploited for SYN flood attacks by sending many SYN packets without completing the handshake. UDP’s connectionless design means there is no handshake to verify — any device can send UDP packets claiming to come from any source IP address (spoofing is trivial). This makes UDP ideal for amplification attacks (DNS amplification, NTP amplification) where the attacker spoofs the victim’s IP as the source, causing large UDP responses to be directed at the victim. Neither is universally “more secure” — they have different attack surfaces.
Q: Why is Telnet considered dangerous when SSH exists?
Telnet transmits every character you type — including your username, password, and all commands — as unencrypted plaintext. Any device on the same network segment can run a packet capture and read your entire session in real time. SSH encrypts the entire session using modern cryptographic algorithms, making interception useless to an attacker. There is no scenario where Telnet is an appropriate choice for any production system in the modern era. Even on internal networks (which many engineers assume are “safe”), any compromised device on the same segment can capture Telnet sessions. The performance difference between SSH and Telnet is negligible. Telnet’s only advantage — it is slightly simpler to implement on embedded devices — does not justify the security risk.
Q: I keep seeing ARP described as both a Layer 2 and Layer 3 protocol. Which is correct?
ARP is definitively a Layer 2 (Data Link) protocol, although it is operationally related to Layer 3 because it bridges the two layers. ARP answers the question: “I have this IP address (Layer 3) — what MAC address (Layer 2) should I use to send the frame?” The protocol operates on the local network segment, cannot cross routers, uses MAC addresses in its messages, and is processed by Layer 2 switches. The confusion arises because ARP involves IP addresses (Layer 3 entities). But involvement with IP addresses does not make ARP a Layer 3 protocol — it makes it a bridging protocol that is functionally associated with Layer 3 but operationally at Layer 2. On the AP exam: ARP = Layer 2.
Q: What is encapsulation and why do I need to understand it?
Encapsulation is the mechanism by which each OSI layer adds its own header to data received from the layer above, wrapping the entire upper-layer message as its payload. Understanding encapsulation is important for security because: (1) each header contains information that can be inspected, forged, or filtered; (2) security devices must decide how deep to inspect packets, with deeper inspection providing better security at the cost of performance; (3) attackers can hide malicious content at higher layers that lower-layer controls cannot see (SQL injection in Layer 7 HTTP is invisible to a Layer 3 firewall that only reads IP headers). When a WAF inspects HTTP request bodies, it is “de-encapsulating” all the way to Layer 7 to examine the actual application content.
Q: How does attack surface relate to the OSI model?
Attack surface in the context of the OSI model refers to the exposed interfaces at each layer. At Layer 1/2: every network port and Wi-Fi access point is physical attack surface. At Layer 3: every IP address that responds to packets is network attack surface. At Layer 4: every open TCP/UDP port is transport-layer attack surface. At Layer 7: every application endpoint (URL, API, email address) is application-layer attack surface. Reducing attack surface means closing unused ports (Layer 4), disabling unnecessary services (Layer 7), disabling unused network interfaces (Layer 1/2), and implementing ingress/egress filtering (Layer 3). Defense-in-depth at the network level means placing controls at multiple layers, because a complete attack chain typically traverses multiple layers from initial access to the ultimate target.
Which attack is this configuration MOST vulnerable to?
Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 1,845+ verified tutoring hours on Wyzant with a 5.0 rating from 451+ reviews. His AP CSA students score 5s at more than double the national average (54.5% vs. 25.5% nationally).
+Continue Learning
Practice what you learned, then move to the next topic in Unit 1:
Lesson → Exercise 1 → Exercise 2 → Lab → Quiz
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]