Unit 3 Project: Network Security Consultant Report | AP Cybersecurity

Unit 3 • Project

Unit 3 Project: Network Security Consultant Report

5 parts, 50 points — You are a network security consultant hired by Crossroads Logistics to assess and redesign their network security after a breach.

Score: 0 / 50
Client Brief
Crossroads Logistics — Post-Breach Network Redesign

Crossroads Logistics operates on a flat /16 network with 300 driver tablets, 50 dispatch workstations, 12 warehouse servers, a fleet GPS system, and a customer shipment portal. A recent breach exploited: (1) a flat network with no segmentation, (2) unmanaged switches with default credentials, (3) FTP for file transfers, (4) HTTP on the customer portal, (5) no IDS/IPS or SIEM, and (6) Telnet for server management. The CEO wants a complete network security redesign. Your deliverable is a 5-part consultant report.

Part 1: Network Segmentation Design10 points
Design a VLAN segmentation plan for Crossroads. Include at least 5 VLANs, specify what devices go in each, and explain the security rationale for each zone separation.
Key terms: VLAN, driver, tablet, dispatch, warehouse, server, GPS, IoT, customer, portal, DMZ, guest, isolate, trust level, PCI, sensitive, restricted, outbound-only
Model Answer: VLAN 10: Driver Tablets (untrusted mobile, limited API access). VLAN 20: Dispatch Workstations (internal operations, moderate trust). VLAN 30: Warehouse Servers (sensitive logistics data, restricted access). VLAN 40: Customer Portal (DMZ, public-facing, isolated from internal). VLAN 50: GPS/IoT (restricted outbound-only to management server). VLAN 60: Guest Wi-Fi (internet-only, zero internal access). Each zone isolated by trust level with inter-VLAN firewall rules.
Exam Tip: Segment by: trust level, data sensitivity, device type, and regulatory requirements. Each VLAN needs a security rationale, not just a technical one.
Part 2: Firewall Rule Design10 points
Write 5 specific firewall rules for the inter-VLAN firewall. For each rule, specify: source VLAN, destination VLAN, allowed ports/protocols, and action (allow/deny). Include an implicit deny-all as the final rule.
Key terms: ALLOW, DENY, source, destination, port, TCP, UDP, 443, 22, 80, 53, specific, least privilege, implicit deny, log, audit
Model Answer: Rule 1: ALLOW Dispatch (VLAN 20) to Servers (VLAN 30) TCP 443 — dispatch accesses logistics app via HTTPS. Rule 2: ALLOW Servers (VLAN 30) to GPS (VLAN 50) UDP 8600 — servers receive GPS telemetry. Rule 3: DENY Drivers (VLAN 10) to Servers (VLAN 30) ALL — drivers should not access servers directly. Rule 4: DENY Guest (VLAN 60) to ANY internal — guests get internet only. Rule 5: DENY ALL to ALL (implicit deny) — block everything not explicitly permitted.
Exam Tip: Rules must be specific (source, dest, port), follow least privilege (deny by default), and include an implicit deny-all at the bottom.
Part 3: Protocol Migration Plan10 points
Write a protocol migration plan for all insecure protocols found at Crossroads. For each: name the insecure protocol, its secure replacement, the migration steps, and the timeline priority.
Key terms: Telnet, SSH, FTP, SFTP, HTTP, HTTPS, HSTS, deploy, migrate, block, port 21, port 22, port 23, port 80, port 443, encrypt, immediate, test, verify
Model Answer: Priority 1 (Immediate): Telnet→SSH — deploy SSH, migrate all server management, block port 23. Priority 2 (30 days): HTTP→HTTPS+HSTS on customer portal — deploy TLS certificate, enable HSTS preloading, block port 80. Priority 3 (60 days): FTP→SFTP — deploy SFTP servers, migrate all file transfers, block port 21. Each migration follows deploy → migrate → block sequence.
Exam Tip: Migration = deploy, migrate, BLOCK. Skipping step 3 (blocking insecure protocol) is the most common failure. Users drift back to the easier option if it is available.
Part 4: Detection and Monitoring Architecture10 points
Design a detection/monitoring architecture for Crossroads. Specify: (1) where to deploy IDS/IPS sensors, (2) which log sources to feed into a SIEM, (3) three specific SIEM correlation rules, and (4) the response workflow when an alert fires.
Key terms: IDS, IPS, SIEM, SOAR, sensor, inline, passive, perimeter, internal, log, AD, firewall, VPN, email, correlation, brute-force, anomaly, baseline, alert, triage, escalate, contain, investigate
Model Answer: IDS/IPS: inline IPS at perimeter (between internet and DMZ), passive IDS on internal VLAN trunk links. SIEM sources: firewall logs, AD authentication, VPN connections, email gateway, server access logs. Correlation rules: (1) brute-force IP matches successful login within 7 days, (2) file access volume exceeds 5x user baseline, (3) outbound transfer exceeding 1 GB to non-business country. Response: alert → SOC triage → severity classification → contain (isolate affected VLAN) → investigate → remediate → document.
Exam Tip: Detection architecture has four layers: sensors (where), sources (what data), rules (what patterns), and workflow (what happens next). Each layer supports the others.
Part 5: Executive Summary10 points
Write a 1-page executive summary for Crossroads’ CEO. Include: (1) current state assessment (what was wrong), (2) top 3 risks ranked by business impact, (3) recommended architecture changes, and (4) estimated timeline and resource requirements. Write for a non-technical audience.
Key terms: flat network, segmentation, VLAN, insecure protocols, encrypt, default credentials, no monitoring, IDS, SIEM, risk, breach, customer data, compliance, timeline, budget, phase, immediate, 30 days, 90 days
Model Answer: Current state: flat network with no segmentation, insecure protocols (Telnet, FTP, HTTP), default credentials, and zero detection capability. Top risks: (1) flat network enables any compromised device to reach all systems, (2) plaintext protocols expose credentials and data to interception, (3) no monitoring means breaches go undetected. Recommendations: segment into 6 VLANs, migrate all protocols to encrypted alternatives, deploy IDS/IPS + SIEM, change all default credentials. Timeline: Phase 1 (immediate): credential changes + Telnet→SSH. Phase 2 (30 days): VLAN deployment + protocol migration. Phase 3 (90 days): SIEM deployment + tuning.
Exam Tip: Executive summaries for non-technical audiences: lead with business impact (not technical details), rank by risk, and provide actionable timelines. “Your network has no walls” is better than “your /16 subnet lacks VLAN segmentation.”
Total Points
Course Hub
AP Cybersecurity Unit 3 Project | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]