AP Cybersecurity Unit 3 Lesson 3 Lab

Unit 3 • 3.3 • Lab

Lab — Operation Gatekeeper: Firewall Forensics Investigation

6 steps, 30 points — Mixed formats: matching, fill-blank, select-all, MCQ, and written analysis

Score: 0 / 30Each step uses a different assessment format

Investigation Target

Harborview Regional Bank

Harborview’s firewall logs reveal that an attacker exfiltrated customer data despite the firewall being “properly configured.” Your investigation analyzes 6 firewall rules to find the gap that allowed the breach — a common scenario where rule ordering, overly broad permits, and logging gaps create exploitable weaknesses.

Step 1Matching

Classify Firewall Rule Types

Harborview’s firewall has three types of rules. Match each description to its rule type.

✎ Think first: Allow = permit traffic. Deny = block traffic. Log = record for analysis without blocking.

PERMIT TCP from 10.20.0.0/16 to 10.30.1.50 port 443

→

DROP ALL from ANY to 10.30.0.0/16 (implicit deny)

→

MONITOR TCP from 10.10.0.0/16 to ANY port 443 — record but do not block

→

PERMIT = Allow. DROP ALL = Deny (implicit deny-all is the last rule). MONITOR = Log (records for analysis without affecting traffic flow).

Exam Tip: Firewall rule types: Allow (explicit permit), Deny (explicit or implicit block), Log (monitor without action). Best practice: explicit allows + implicit deny-all at the bottom + logging on denied traffic.

Step 2Fill in the Blank

Complete the Firewall Rule Principles

Fill in the correct firewall concept for each blank.

✎ Think first: How do firewalls process rules, and what happens when rules conflict?

Firewalls process rules in order, stopping at the first rule that matches the traffic.

A rule that blocks everything not explicitly permitted is called an implicit rule.

A firewall that inspects packet headers (source/destination IP, port) but not payload content operates at Layer .

A firewall that tracks connection state (new, established, related) is called a firewall.

The security principle of blocking everything by default and only allowing specific needed traffic is called listing.

Answers: (1) top-down (first match wins). (2) deny (deny-all at bottom). (3) 3 or 4 (network/transport). (4) stateful. (5) allow/white.

Exam Tip: First-match processing means rule ORDER matters critically. A broad allow above a specific deny renders the deny unreachable. Always place specific rules above broad rules.

Step 3Select All That Apply

Identify Firewall Misconfigurations

Harborview’s firewall has these rules in order. Select ALL misconfigurations.

Rule 1: ALLOW ALL from 10.10.0.0/16 to ANY
Rule 2: DENY ALL from 10.10.0.0/16 to 10.30.0.0/16
Rule 3: ALLOW TCP from ANY to 10.30.1.50 port 443
Rule 4: DENY ALL (implicit)

Rule 2 is unreachable — Rule 1 matches all traffic from 10.10.x.x first, so the deny never fires Rule 1 is overly broad — allowing ALL traffic from an entire subnet to ANY destination violates least privilege Rule 3 allows ANY source to reach the server — should be restricted to specific authorized subnets Rule 4 is unnecessary because the other rules already handle all traffic The rules are in the correct order and properly configured

All three problems: Rule 2 is unreachable (A) because Rule 1 matches first. Rule 1 is too broad (B). Rule 3 allows any source (C). Correct items: Rule 4 (implicit deny) IS necessary as the safety net. The rules are NOT properly configured.

Exam Tip: Firewall audit checklist: (1) Are any rules unreachable due to ordering? (2) Are any rules overly broad? (3) Do source restrictions match least privilege? (4) Is implicit deny-all present at the bottom?

Step 4Multiple Choice

Identify How the Attacker Exfiltrated Data

The attacker on subnet 10.10.x.x exfiltrated customer data to an external server over HTTPS (port 443). Which rule permitted this?

✎ Predict first: Trace the exfiltration traffic through the rules top-down. Which rule matches first?

(A) Rule 1 — ALLOW ALL from 10.10.0.0/16 to ANY permitted the outbound HTTPS connection to the external server (B) Rule 3 — ALLOW TCP ANY to port 443 permitted the connection (C) Rule 4 — the implicit deny accidentally allowed the traffic due to a bug (D) The attacker bypassed the firewall entirely using a VPN tunnel

A is correct. Rule 1 (ALLOW ALL from 10.10.x.x to ANY) matches the exfiltration traffic before any other rule is evaluated. The attacker’s outbound HTTPS to the external server was explicitly permitted by this overly broad rule.

Exam Tip: Tracing traffic through firewall rules: start at Rule 1, check if source/destination/port matches. First match wins. An ALLOW ALL rule at the top permits everything — including malicious exfiltration.

Step 5Analysis

Fix the Firewall Rules

The current Rule 1 (ALLOW ALL from 10.10.0.0/16 to ANY) must be replaced with specific, least-privilege rules.

5a. Select the correct fix for Rule 1:

5b. Write 2-3 replacement rules that follow the principle of least privilege.

Key terms: specific, port, destination, 443, 80, 25, DNS, least privilege, only, needed, teller, banking

B is correct. Replace the broad ALLOW ALL with specific permits. Example replacements: Rule 1a: ALLOW TCP 10.10.0.0/16 to 10.30.1.50 port 443 (banking app). Rule 1b: ALLOW UDP 10.10.0.0/16 to 10.1.1.1 port 53 (DNS). Rule 1c: DENY ALL 10.10.0.0/16 to ANY (block everything else from this subnet). This allows only what is needed and blocks all other traffic.

Exam Tip: Least privilege for firewall rules: replace broad ALLOW ALL with specific permits for known legitimate traffic. If you cannot list what the subnet needs, you cannot secure it.

Step 6Written Response

Write the Firewall Audit Checklist

Write a 5-point firewall audit checklist that Harborview should use quarterly to prevent rule-based breaches like this one.

Key terms: unreachable, shadow, broad, order, implicit deny, log, review, unused, specific, source, destination, port, document, justify, quarterly

Model: 1: Check for unreachable/shadowed rules — verify no broad rule above prevents a specific rule below from ever matching. 2: Verify no ALLOW ALL rules exist — every allow must specify source, destination, AND port. 3: Confirm implicit deny-all is the last rule. 4: Review logs for denied traffic to identify new legitimate needs or attack patterns. 5: Remove unused rules and require documented justification for every active allow rule.

Exam Tip: Firewall rules drift over time (temporary rules become permanent, broad rules are added for convenience). Quarterly audits catch rule sprawl before it creates breaches.

Total Points

Quiz 3.3 →Course Hub

← Exercise 2 Quiz 3.3 →

AP Cybersecurity 3.3 Lab | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

✉

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]