Topic 3.1 Exercise 2: Network Architecture Analysis | AP Cybersecurity

Unit 3 • 3.1 • Exercise 2

Exercise 2 — Network Architecture Scenario Analysis

3 parts, 24 points — Analyze Crossroads Logistics’ network architecture, identify vulnerabilities, and recommend improvements

Score: 0 / 24Select answers and write analysis for each part
Client Organization
Crossroads Logistics

Crossroads Logistics operates a flat network (10.0.0.0/16) connecting 300 driver tablets, 50 dispatch workstations, 12 warehouse servers, a fleet GPS tracking system, and a customer-facing shipment portal. There are no VLANs, no DMZ, and no internal firewalls. A recent pen test found: (1) 147 open ports on the primary web server (needs only 3), (2) default admin/admin credentials on 8 network switches, (3) FTP used for driver manifest transfers, and (4) no DNS security of any kind.

Part A8 points
Attack Surface Analysis: The pen test found 147 open ports on a server that needs 3, default credentials on 8 switches, and FTP for manifest transfers.
A1. Select the MOST critical finding from the pen test:
A2. Explain why the finding you selected is more critical than the others. Include what an attacker could do with this access.
Key terms: switch, infrastructure, VLAN, redirect, mirror, intercept, flat network, no barrier, admin, control, configuration
Analysis: B is most critical. Default admin/admin on 8 switches gives an attacker complete control of network infrastructure — they can reconfigure VLANs, mirror all traffic to their device, redirect traffic, disable ports, or create backdoors. On a flat network with no internal firewalls, switch control = network control. The other findings are serious but require additional exploitation steps; default credentials require zero skill.
Exam Tip: When prioritizing findings, rank by: (1) skill required to exploit (default creds = zero), (2) scope of access gained (switch = entire network), (3) detection difficulty (switch configs rarely monitored).
Part B8 points
Network Architecture: Crossroads operates on a single flat /16 network with no segmentation. Driver tablets, dispatch workstations, warehouse servers, GPS tracking, and the customer portal all share the same broadcast domain.
B1. Select the PRIMARY risk of a flat network architecture:
B2. Design a VLAN segmentation plan for Crossroads. Name at least 4 VLANs and justify each.
Key terms: driver, tablet, dispatch, warehouse, server, GPS, customer, portal, DMZ, IoT, guest, isolate, trust, PCI, sensitive
Analysis: B is correct. Flat network = one broadcast domain = zero lateral movement barriers. A compromised driver tablet can scan and attack warehouse servers, GPS systems, and the customer portal. Recommended VLANs: VLAN 10: Driver tablets (untrusted mobile devices, limited to dispatch API). VLAN 20: Dispatch workstations (internal operations). VLAN 30: Warehouse servers (sensitive logistics data). VLAN 40: Customer portal in DMZ (public-facing, isolated from internal). VLAN 50: GPS/IoT (restricted outbound only to management server).
Exam Tip: When designing VLANs, group by trust level and data sensitivity: untrusted devices (drivers, guests), internal operations (dispatch), sensitive data (servers), public-facing (DMZ), and IoT (restricted). Each zone gets its own firewall rules.
Part C8 points
Protocol Security: Crossroads uses FTP (plaintext) for driver manifest transfers and has no DNS security. A MitM attacker on the flat network can capture FTP credentials and redirect DNS queries.
C1. Select the correct protocol replacement for FTP:
C2. Write a 3-step protocol migration plan that addresses both FTP and DNS vulnerabilities.
Key terms: SFTP, SSH, encrypt, credentials, transit, DNSSEC, sign, verify, tamper, spoof, DoH, DoT, migrate, disable, FTP, port 21, block
Analysis: B (SFTP) is correct. Migration plan: Step 1: Deploy SFTP servers and migrate all driver manifest transfers from FTP to SFTP — encrypts credentials and file content in transit. Step 2: Block FTP (port 21) on all firewalls after migration — prevents fallback to insecure protocol. Step 3: Implement DNSSEC on authoritative DNS servers and configure clients for DNS over HTTPS (DoH) — prevents DNS spoofing and query eavesdropping.
Exam Tip: Protocol migration is always 3 steps: deploy the secure replacement, migrate traffic, then BLOCK the insecure protocol. If you deploy SFTP but leave FTP enabled, users will drift back to the easier (insecure) option.
Total Points
Lab 3.1 →Course Hub
← Exercise 1Lab 3.1 →
AP Cybersecurity 3.1 Exercise 2 | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]