AP Cybersecurity Unit 3 Lesson 3 Exercise 2
Unit 3 • 3.3 • Exercise 2
Exercise 2 — Firewall Policy Design
3 parts, 24 points — Design and troubleshoot firewall policies for Crossroads Logistics
Score: 0 / 24
Complete all 3 parts to see your final score
Client Organization
Crossroads Logistics
Crossroads Logistics operates 5 distribution centers connected to headquarters over a corporate WAN. Each center has three network zones: an operations zone (warehouse management, barcode scanners), a corporate zone (email, HR systems), and an IoT zone (GPS trackers, temperature sensors on refrigerated trucks). The company’s new CISO has asked you to design firewall policies for the Atlanta distribution center.
Part 1
Scenario: IoT Zone Firewall Policy
The IoT zone contains 85 GPS trackers and 30 temperature sensors. These devices need to send telemetry data to a central server (10.50.1.10) on port 8883 (MQTT over TLS). They should not be able to initiate connections to anything else on the network. Currently, the IoT zone has no firewall restrictions — all devices can reach any system on any port.
8 points
1a. Explain why the current unrestricted policy is dangerous for IoT devices specifically. (2–3 sentences)
Key terms: compromise, lateral movement, botnet, unpatched, firmware, attack surface, pivot, vulnerable
1b. Write a 3-rule firewall policy for the IoT zone. Specify source, destination, port, protocol, and action for each rule. Explain your rule ordering.
Key terms: ALLOW, DENY, IoT subnet, telemetry server, MQTT, 8883, default deny, specific, broad, last rule
Model Response: Unrestricted IoT access is dangerous because IoT devices typically run minimal firmware that is rarely updated, making them prime targets for compromise. If an attacker gains control of a GPS tracker, unrestricted access allows them to pivot laterally into the corporate or operations zones, potentially reaching HR systems or warehouse management. IoT botnets (like Mirai) specifically exploit devices with unrestricted network access.
Rule 1: ALLOW TCP from IoT_Zone (10.60.0.0/24) to 10.50.1.10 port 8883 — permits telemetry to the central server only.
Rule 2: ALLOW UDP from IoT_Zone to DNS_Server port 53 — permits DNS resolution for the devices.
Rule 3: DENY ALL from IoT_Zone to ANY — blocks everything else (default deny).
Ordering: Specific ALLOW rules first, default DENY last. The IoT devices can only reach their designated server and DNS; all other connections are blocked.
Rule 1: ALLOW TCP from IoT_Zone (10.60.0.0/24) to 10.50.1.10 port 8883 — permits telemetry to the central server only.
Rule 2: ALLOW UDP from IoT_Zone to DNS_Server port 53 — permits DNS resolution for the devices.
Rule 3: DENY ALL from IoT_Zone to ANY — blocks everything else (default deny).
Ordering: Specific ALLOW rules first, default DENY last. The IoT devices can only reach their designated server and DNS; all other connections are blocked.
Part 2
Scenario: Blocked Warehouse Operations
After deploying new firewall rules, warehouse staff report that barcode scanners in the operations zone can no longer reach the inventory database (10.50.2.20, port 3306). The rules are:
Rule 1: DENY TCP from ANY to ANY on port 3306
Rule 2: ALLOW TCP from 10.40.0.0/24 to 10.50.2.20 on port 3306
Rule 3: DENY ALL
8 points
Rule 1: DENY TCP from ANY to ANY on port 3306
Rule 2: ALLOW TCP from 10.40.0.0/24 to 10.50.2.20 on port 3306
Rule 3: DENY ALL
2a. Identify the specific misconfiguration and explain why the scanners are blocked.
Key terms: top-down, first match, Rule 1, broad, specific, unreachable, order, before, evaluate
2b. Write the corrected rule set with proper ordering.
Key terms: ALLOW first, specific before broad, DENY after, swap, move, reorder
Model Response: The issue is rule ordering: Rule 1 (DENY TCP port 3306 from ANY) is evaluated first and matches all MySQL traffic, including from the scanners. Rule 2 (the specific ALLOW) is never reached because the firewall already found a match at Rule 1. Firewalls process rules top-down and apply the first match.
Corrected rules:
Rule 1: ALLOW TCP from 10.40.0.0/24 to 10.50.2.20 port 3306 (specific allow for scanners)
Rule 2: DENY TCP from ANY to ANY port 3306 (block all other MySQL access)
Rule 3: DENY ALL (default deny)
Now the scanner traffic matches Rule 1 first, while all other MySQL attempts are blocked by Rule 2.
Corrected rules:
Rule 1: ALLOW TCP from 10.40.0.0/24 to 10.50.2.20 port 3306 (specific allow for scanners)
Rule 2: DENY TCP from ANY to ANY port 3306 (block all other MySQL access)
Rule 3: DENY ALL (default deny)
Now the scanner traffic matches Rule 1 first, while all other MySQL attempts are blocked by Rule 2.
Part 3
Scenario: Choosing the Right Firewall Technology
Crossroads is evaluating three firewall options for the corporate zone perimeter: (1) a stateless packet filter at $2,000/year, (2) a stateful inspection firewall at $8,000/year, and (3) a next-generation firewall with application-layer inspection at $25,000/year. The corporate zone handles email, web browsing, HR systems, and VPN connections to headquarters.
8 points
3a. For each firewall type, identify one specific threat from the corporate zone that it would fail to detect. (3–4 sentences)
Key terms: stateless misses connection state/return traffic; stateful misses encrypted payload/application; NGFW misses zero-day/encrypted tunnels
3b. Write your recommendation to the CISO: which option should Crossroads choose and why? Consider both security needs and budget constraints. (2–3 sentences)
Key terms: recommend, stateful or NGFW, budget, risk, email, VPN, application, visibility, balance, HR data, compliance
Model Response: Stateless: Would miss a return packet from an attacker-initiated connection because it cannot track session state — an attacker could send a crafted response packet that appears to be part of a legitimate session. Stateful: Would miss malware embedded inside an encrypted HTTPS download because it inspects headers and connection state but not encrypted payloads. NGFW: Would miss a zero-day exploit that has no existing signature, or data exfiltrated through an encrypted DNS-over-HTTPS tunnel that the NGFW cannot decrypt.
Recommendation: The NGFW ($25K/year) is the right choice. The corporate zone handles sensitive HR data, financial systems, and VPN traffic — all high-value targets. A stateless filter provides inadequate protection, and a stateful firewall lacks the application-layer visibility needed to detect phishing payloads in email or malicious downloads. The NGFW’s cost is justified by the data it protects.
Recommendation: The NGFW ($25K/year) is the right choice. The corporate zone handles sensitive HR data, financial systems, and VPN traffic — all high-value targets. A stateless filter provides inadequate protection, and a stateful firewall lacks the application-layer visibility needed to detect phishing payloads in email or malicious downloads. The NGFW’s cost is justified by the data it protects.
AP Cybersecurity 3.3 Exercise 2 | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board, which was not involved in the production of this content.
AP® is a registered trademark of the College Board, which was not involved in the production of this content.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]