AP Cybersecurity Unit 3 Lesson 3 Exercise 1

Unit 3 • 3.3 • Exercise 1

Exercise 1 — Firewall Rule Analysis

6 questions — Evaluate firewall configurations and packet filtering decisions

Score: 0 / 0 Predict the answer before selecting an option
Client Organization
Brightpath University

Brightpath University serves 15,000 students and 2,000 faculty across a main campus and two satellite locations. The campus network includes a student residence network, an academic research network with sensitive grant data, a public-facing web server cluster, and an administrative network handling financial aid and payroll. The IT security team is reviewing firewall policies after a recent audit flagged several misconfigurations.

Q1 Firewall Types
Brightpath’s perimeter firewall inspects each incoming packet’s source IP, destination IP, source port, destination port, and protocol type. It does NOT track whether the packet belongs to an established connection or examine the packet’s payload. This firewall is BEST classified as:
Q2 Rule Order
The following firewall rules are applied in order:

Rule 1: ALLOW TCP from 10.0.0.0/8 to ANY on port 443
Rule 2: DENY TCP from 10.0.50.0/24 to 192.168.1.100 on port 443
Rule 3: DENY ALL

A packet arrives from 10.0.50.15 destined for 192.168.1.100 on port 443. What happens to this packet?
Q3 Stateful vs Stateless
A student in the residence hall initiates an HTTPS connection to an external website. The outbound SYN packet is allowed by the firewall. Later, the website sends a response packet back to the student. Which of the following statements about how different firewall types handle this return traffic are correct?

I. A stateless firewall would require a separate inbound rule explicitly allowing traffic from the website’s IP to the student’s IP on the ephemeral port.
II. A stateful firewall would automatically allow the return packet because it recognizes it as part of an established TCP session.
III. A next-generation firewall would block the return packet unless the website’s domain appears on an approved application allowlist.
Q4 Default Deny
Brightpath’s firewall policy ends with an implicit DENY ALL rule. A new research lab needs access to an external genomics database on TCP port 8443. The IT team has not yet created a rule for this traffic. What will happen when a researcher tries to connect?
Q5 Firewall Limitations
A student downloads a malware-infected PDF from a legitimate academic journal website over HTTPS. Brightpath’s stateful firewall allowed the traffic because port 443 outbound is permitted. Which limitation does this scenario demonstrate?
Q6 Practical Configuration
The IT team needs to allow faculty to access the administrative payroll system (192.168.10.5, port 8080) from the academic network (172.16.0.0/16) while blocking student access from the residence network (10.10.0.0/16). Which firewall rule set achieves this with CORRECT rule ordering?
Questions Correct
Exercise 2 → Course Hub
AP Cybersecurity Unit 3 • 3.3 • Exercise 1 | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board, which was not involved in the production of this content.
AP Cybersecurity · Unit 3 · Lesson 3.3 · Exercise 1
LessonExercise 1LabQuiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]