AP Cybersecurity 3.6: Network Security Policies & Wireless
• Identify the four CED network security policies: router policy (ban local accounts, disable Telnet, require firewall), switch policy (ban local accounts, port security, MAC filtering), VPN policy (role-based access, auth requirements, no split tunneling), wireless policy (EAP authentication, AES encryption, disable beacon frames)
• Apply the three CED wireless security controls: disable beacon frame broadcasting, control WAP signal strength/direction, enable strong encryption (WPA3 is strongest; WEP/WPS/original WPA are insecure)
• Explain MAC filtering: prevents unauthorized devices from joining the network
• Recognize that WEP, WPS, and original WPA have known vulnerabilities and are insecure — WPA3 is the CED-specified strongest option
• Note: TLS/SSH/SFTP/DNSSEC content in this lesson extends beyond CED core — labeled enrichment
Topic 3.6 / CED 3.2 Managerial Controls — What Is Testable
The CED 3.2 core covers router/switch/VPN/wireless security policies and wireless configuration controls. TLS, SSH, SFTP, DNSSEC, and PKI content in this lesson extends beyond the CED core and is enrichment. Focus on the policy and wireless configuration items below for AP exam questions.
| CED Ref | Essential Knowledge | Covered In |
|---|---|---|
| 3.2.A.1 | Router security policy: ban local user accounts, disable unnecessary services (e.g. Telnet), require a firewall | Section 2 — Network Security Policies |
| 3.2.A.2 | Switch security policy: ban local user accounts, require port security, use MAC filtering | Section 2 — Network Security Policies |
| 3.2.A.3 | VPN policy: role-based access, authentication requirements (public/private key or MFA), prohibition against split tunneling (dual tunneling) | Section 2 — Network Security Policies |
| 3.2.A.4 | Wireless security policy: EAP authentication to approved auth server, AES encryption with minimum key length, disable beacon frames on WAPs | Section 2 — Network Security Policies |
| 3.2.B.1 | Disable beacon frame broadcasting on WAPs: makes it harder for adversaries to find the network and learn its properties | Section 3 — Wireless Security Controls |
| 3.2.B.2 | Control WAP broadcast direction and signal strength so signal does not extend beyond the intended physical space | Section 3 — Wireless Security Controls |
| 3.2.B.3 | Enable strong wireless encryption: WEP/WPS/original WPA have known vulnerabilities and are insecure. WPA3 is currently the strongest wireless encryption algorithm. | Section 3 — Wireless Security Controls |
| 3.2.B.4 | Enable MAC filtering to prevent unauthorized devices from accessing the network; require user authentication when joining | Section 3 — Wireless Security Controls |
Source: AP Cybersecurity CED Effective Fall 2026. AP Skills: 2.A Identify security controls • 2.C Evaluate mitigations • 2.D Implement mitigations
Answer independently. No notes.
- A company’s router configuration allows local user accounts with local passwords, has Telnet enabled, and does not require a separate firewall device. List every violation of the CED router security policy and explain what each should be replaced with.
- A WAP at an organization broadcasts its SSID at full signal strength, which extends into the parking lot, and uses WPA2 encryption. Name two CED wireless security controls that should be applied and explain the security benefit of each.
- An organization’s VPN policy allows all employees to use the VPN and permits split tunneling. What is split tunneling, why does the CED prohibit it in a VPN policy, and what should the policy say instead?
Answers: (1) Violations: local accounts (should ban; require approved auth server) + Telnet enabled (should disable unnecessary services) + no separate firewall required (should require firewall per 3.2.A.1). (2) Disable beacon frame broadcasting (adversaries can’t detect the network) + control signal strength/direction so it doesn’t extend beyond physical space (3.2.B.1, 3.2.B.2). WPA3 upgrade also recommended per 3.2.B.3. (3) Split tunneling = VPN user routes some traffic through the VPN tunnel and some directly to the internet. Risk: direct internet traffic bypasses organizational security controls, creating a potential path for adversaries. Policy should prohibit split tunneling per CED 3.2.A.3.
Lesson 3.6: Secure Network Protocols
TLS/HTTPS, SSH, SFTP, DNSSEC, VPNs, Certificate Authorities, and protocol migration strategies
🎯 Learning Objectives
- Explain how TLS protects confidentiality, integrity, and authentication during the handshake process
- Map insecure protocols to their secure replacements (FTP→SFTP, Telnet→SSH, HTTP→HTTPS)
- Describe how SSL stripping exploits the HTTP-to-HTTPS redirect and how HSTS prevents it
- Compare site-to-site VPN, remote-access VPN, and split tunneling architectures
- Explain how DNSSEC cryptographically verifies DNS responses to prevent spoofing
- Describe the PKI trust model: Certificate Authorities, certificate chains, and revocation
3.6.1 — The Insecure Protocol Problem
Many foundational internet protocols were designed in the 1970s-1990s when the internet was a trusted academic network. Security was an afterthought. These protocols transmit everything — credentials, commands, data — in plaintext, meaning anyone who intercepts the traffic can read it directly.
Insecure → Secure Protocol Map
⚠ Exam Trap
FTP and FTPS are different from SFTP. FTPS adds TLS to FTP (still uses port 21/990). SFTP is a completely different protocol that runs over SSH (port 22). The exam may test this distinction. SFTP is generally preferred because it uses a single port and leverages the existing SSH infrastructure.
Why plaintext protocols persist: Legacy systems, backward compatibility requirements, and organizational inertia. Many SCADA/OT environments still use Telnet and unencrypted Modbus because the devices were deployed before secure alternatives existed and cannot be easily updated without risking operational disruption.
3.6.2 — TLS: The Foundation of Encrypted Communication
Transport Layer Security (TLS) is the cryptographic protocol that protects data in transit. Every HTTPS connection, every secure email, and every VPN tunnel relies on TLS to provide three guarantees:
The TLS Handshake (Simplified)
Step 1: Client Hello — The browser sends supported TLS versions and cipher suites to the server.
Step 2: Server Hello + Certificate — The server selects a cipher suite and sends its digital certificate (contains public key + identity + CA signature).
Step 3: Certificate Verification — The browser verifies the certificate: Is it signed by a trusted CA? Is the domain correct? Is it expired?
Step 4: Key Exchange — Client and server negotiate a shared session key using asymmetric cryptography. This session key will encrypt all subsequent data.
Step 5: Encrypted Communication — Both sides now use the shared session key for fast symmetric encryption. All data (HTTP requests, responses, cookies, credentials) is encrypted.
⚠ Exam Trap
HTTPS ≠ safe website. HTTPS means the connection is encrypted, not that the website is legitimate. A phishing site can have a valid TLS certificate and show the padlock icon. TLS protects data in transit — it does not verify the website’s intent.
SSL Stripping and HSTS
SSL stripping is an attack that exploits the HTTP-to-HTTPS redirect. When a user types example.com (without https://), the browser first connects via HTTP, then the server redirects to HTTPS. An attacker in a MitM position can intercept the initial HTTP request and prevent the redirect, keeping the victim on an unencrypted connection while proxying to the real HTTPS site.
HSTS (HTTP Strict Transport Security) eliminates this vulnerability. When a server sends the HSTS header, the browser remembers to always use HTTPS for that domain. HSTS preloading goes further: the domain is hardcoded into the browser itself (Chrome, Firefox, Safari maintain preload lists), so the browser never sends an initial HTTP request. There is nothing for the attacker to intercept.
3.6.3 — SSH and SFTP: Encrypted Remote Access and File Transfer
SSH (Secure Shell) replaces Telnet for remote server administration. Where Telnet transmits every keystroke, command, and output in plaintext, SSH encrypts the entire session. An attacker intercepting a Telnet session sees passwords, commands, and configuration data. An attacker intercepting an SSH session sees encrypted gibberish.
- Port 23
- All data in plaintext
- Passwords visible to any interceptor
- Commands and output readable
- No identity verification of server
- Port 22
- All data encrypted
- Passwords protected in transit
- Key-based auth (no passwords needed)
- Server identity verified via host key
SFTP (SSH File Transfer Protocol) provides encrypted file transfer over the SSH protocol (port 22). Unlike FTP (port 21) which sends credentials and file contents in plaintext, SFTP encrypts everything — login, commands, directory listings, and file data. Unlike FTPS (which wraps FTP in TLS), SFTP is a completely different protocol that uses only one port (22), simplifying firewall rules.
3.6.4 — VPNs: Encrypted Tunnels Across Untrusted Networks
A Virtual Private Network (VPN) creates an encrypted tunnel through a public network, allowing private communication as if both endpoints were on the same local network. The tunnel encrypts all traffic so that even if intercepted on a public Wi-Fi or compromised ISP link, the data is unreadable.
VPN Architecture Comparison
Remote-Access VPN: An individual user (employee working from home, traveling executive) connects their device to the corporate network over an encrypted tunnel. The user’s laptop acts as one end, and the VPN gateway is the other. Used by: remote workers, traveling staff, contractors.
Site-to-Site VPN: Two physical locations (HQ and branch office) are connected over the internet through a permanent encrypted tunnel between their routers/firewalls. All traffic between the sites is encrypted transparently — individual users do not need VPN software. Used by: multi-office organizations, partner connections.
Split Tunneling: Only traffic destined for the corporate network goes through the VPN tunnel; internet traffic (YouTube, personal email) goes directly to the internet. Trade-off: Reduces VPN bandwidth and latency but creates a gap — the user’s internet traffic is unprotected and could be intercepted on public Wi-Fi. High-security organizations enforce full tunneling (all traffic through VPN) to prevent data leaks.
⚠ Exam Trap
Split tunneling is NOT always wrong. It is a valid design choice for organizations that prioritize performance and have other protections (endpoint security, cloud-based web filtering). The exam tests whether you understand the trade-off, not whether you pick one as universally correct.
3.6.5 — DNSSEC and Certificate Authorities
DNSSEC: Authenticating DNS Responses
Standard DNS has no built-in verification — when your device asks “what is the IP for example.com?” it trusts whatever answer it receives. DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS responses, allowing the client to verify: (1) the response came from the authoritative server, and (2) the response was not modified in transit.
Important distinction: DNSSEC provides authentication and integrity (is this response genuine and unmodified?) but NOT encryption (can eavesdroppers see what domains you query?). For DNS query encryption, you need DNS over HTTPS (DoH) or DNS over TLS (DoT). These solve different problems and can be used together.
Certificate Authorities and the PKI Trust Model
TLS certificates are issued by Certificate Authorities (CAs) — trusted organizations that verify domain ownership before signing a certificate. Your browser comes pre-loaded with a list of trusted Root CAs. The trust chain works as follows:
Root CA → signs the Intermediate CA certificate → which signs the Server Certificate
Your browser trusts the Root CA → therefore trusts the Intermediate CA → therefore trusts the server certificate → therefore trusts the server’s identity.
If a CA is compromised or issues a fraudulent certificate, browsers can revoke trust using Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP).
Protocol Migration Best Practices
Migrating from insecure to secure protocols requires three steps: (1) Deploy the secure replacement alongside the insecure protocol. (2) Migrate all traffic to the secure protocol and verify functionality. (3) Block the insecure protocol at the firewall to prevent fallback. Skipping step 3 is the most common failure — users drift back to the easier (insecure) option if it remains available.
Match each insecure protocol to its correct secure replacement.
Which response is MOST accurate?
HTTPS wraps HTTP inside a tunnel to encrypt all data between browser and server.
After the handshake, both sides use a shared key for fast symmetric encryption of the actual data.
The server proves its identity by presenting a digital signed by a trusted Certificate Authority.
The process of negotiating encryption parameters and exchanging keys is called the TLS .
This attack is called:
Select ALL guarantees that TLS provides.
Match each scenario to the correct VPN type.
Which answer is CORRECT?
Identify the error in this reasoning.
Select ALL steps required for a complete protocol migration.
Which defense-to-threat pairings are CORRECT?
I. HSTS preloading prevents SSL stripping by eliminating the initial HTTP request
II. DNSSEC prevents DNS spoofing by cryptographically signing responses
III. SSH prevents credential interception by encrypting the entire session
AP® is a registered trademark of the College Board.
• Identify the four CED network security policies: router policy (ban local accounts, disable Telnet, require firewall), switch policy (ban local accounts, port security, MAC filtering), VPN policy (role-based access, auth requirements, no split tunneling), wireless policy (EAP authentication, AES encryption, disable beacon frames)
• Apply the three CED wireless security controls: disable beacon frame broadcasting, control WAP signal strength/direction, enable strong encryption (WPA3 is strongest; WEP/WPS/original WPA are insecure)
• Explain MAC filtering: prevents unauthorized devices from joining the network
• Recognize that WEP, WPS, and original WPA have known vulnerabilities and are insecure — WPA3 is the CED-specified strongest option
• Note: TLS/SSH/SFTP/DNSSEC content in this lesson extends beyond CED core — labeled enrichment
Topic 3.6 / CED 3.2 Managerial Controls — What Is Testable
The CED 3.2 core covers router/switch/VPN/wireless security policies and wireless configuration controls. TLS, SSH, SFTP, DNSSEC, and PKI content in this lesson extends beyond the CED core and is enrichment. Focus on the policy and wireless configuration items below for AP exam questions.
| CED Ref | Essential Knowledge | Covered In |
|---|---|---|
| 3.2.A.1 | Router security policy: ban local user accounts, disable unnecessary services (e.g. Telnet), require a firewall | Section 2 — Network Security Policies |
| 3.2.A.2 | Switch security policy: ban local user accounts, require port security, use MAC filtering | Section 2 — Network Security Policies |
| 3.2.A.3 | VPN policy: role-based access, authentication requirements (public/private key or MFA), prohibition against split tunneling (dual tunneling) | Section 2 — Network Security Policies |
| 3.2.A.4 | Wireless security policy: EAP authentication to approved auth server, AES encryption with minimum key length, disable beacon frames on WAPs | Section 2 — Network Security Policies |
| 3.2.B.1 | Disable beacon frame broadcasting on WAPs: makes it harder for adversaries to find the network and learn its properties | Section 3 — Wireless Security Controls |
| 3.2.B.2 | Control WAP broadcast direction and signal strength so signal does not extend beyond the intended physical space | Section 3 — Wireless Security Controls |
| 3.2.B.3 | Enable strong wireless encryption: WEP/WPS/original WPA have known vulnerabilities and are insecure. WPA3 is currently the strongest wireless encryption algorithm. | Section 3 — Wireless Security Controls |
| 3.2.B.4 | Enable MAC filtering to prevent unauthorized devices from accessing the network; require user authentication when joining | Section 3 — Wireless Security Controls |
Source: AP Cybersecurity CED Effective Fall 2026. AP Skills: 2.A Identify security controls • 2.C Evaluate mitigations • 2.D Implement mitigations
Answer independently. No notes.
- A company’s router configuration allows local user accounts with local passwords, has Telnet enabled, and does not require a separate firewall device. List every violation of the CED router security policy and explain what each should be replaced with.
- A WAP at an organization broadcasts its SSID at full signal strength, which extends into the parking lot, and uses WPA2 encryption. Name two CED wireless security controls that should be applied and explain the security benefit of each.
- An organization’s VPN policy allows all employees to use the VPN and permits split tunneling. What is split tunneling, why does the CED prohibit it in a VPN policy, and what should the policy say instead?
Answers: (1) Violations: local accounts (should ban; require approved auth server) + Telnet enabled (should disable unnecessary services) + no separate firewall required (should require firewall per 3.2.A.1). (2) Disable beacon frame broadcasting (adversaries can’t detect the network) + control signal strength/direction so it doesn’t extend beyond physical space (3.2.B.1, 3.2.B.2). WPA3 upgrade also recommended per 3.2.B.3. (3) Split tunneling = VPN user routes some traffic through the VPN tunnel and some directly to the internet. Risk: direct internet traffic bypasses organizational security controls, creating a potential path for adversaries. Policy should prohibit split tunneling per CED 3.2.A.3.
!Common AP Exam Mistakes — Topic 3.6 / CED 3.2
| Mistake | Why It’s Wrong | What to Do Instead |
|---|---|---|
| Thinking WPA2 is the strongest wireless encryption | The CED (3.2.B.3) explicitly states WPA3 is currently the strongest wireless encryption algorithm. WPA2 has known vulnerabilities (KRACK). WPA3 is the correct answer for “strongest.” | Strongest = WPA3. WEP/WPS/original WPA = known vulnerabilities and insecure. WPA2 = acceptable but not strongest. |
| Saying disabling beacon frames makes a network invisible | Disabling beacons (3.2.B.1) makes the network harder to find and prevents easy information gathering, but determined adversaries with scanning tools can still detect it. It reduces risk, not eliminates it. | Disabling beacons = makes it harder to find the network. It is a deterrent, not a complete defense. |
| Confusing VPN split tunneling with dual-factor auth | Split tunneling (also called dual tunneling) means some traffic goes through the VPN and some goes directly to the internet. It is a routing configuration, not an authentication method. | Split tunneling = routing some traffic outside the VPN tunnel. The CED VPN policy prohibits it because unprotected internet-bound traffic bypasses organizational controls. |
| Forgetting that router/switch policies ban local accounts | Both router (3.2.A.1) and switch (3.2.A.2) security policies require banning local user accounts and requiring an approved authentication server. Students remember the technical controls but forget the account management policy. | All logins to network infrastructure devices must use an approved central authentication server — never local accounts. |
| Applying TLS/HTTPS/SSH content to the AP exam core | TLS, HTTPS, SSH, SFTP, DNSSEC, and PKI are enrichment in this lesson — they extend beyond the CED 3.2 core. The AP exam tests CED 3.2 policy and wireless controls, not TLS handshake details. | For AP exam: focus on the four security policies and four wireless controls in CED 3.2. TLS/SSH/PKI content is background knowledge. |
Students submit before leaving.
- The CED defines four network security policies. List all four and for each name one specific requirement that policy must include. (AP Skill: Mitigate Risk)
- A company’s WAP uses WEP encryption, broadcasts its SSID at full strength, and its signal extends into the adjacent parking structure. Apply all three CED wireless security controls to fix each issue and explain the security benefit of each fix. (AP Skill: Mitigate Risk)
- An employee working remotely connects their laptop to both their home Wi-Fi and the company VPN simultaneously, routing some traffic through the VPN and browsing the web directly. What is this configuration called, why does the CED VPN policy prohibit it, and what is the specific risk? (AP Skill: Mitigate Risk)
- A network administrator configures a new switch with a local admin account and password rather than connecting it to the company authentication server. Which CED policy does this violate, and what should be done instead? (AP Skill: Mitigate Risk)
- True or False: a wireless network that requires WPA3 authentication and disables beacon frame broadcasting is fully secure against wireless attacks. Explain using two CED wireless security controls. (AP Skill: Mitigate Risk)
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]