AP Cybersecurity Unit 3: Securing Networks

Unit 3: Securing Networks | AP Cybersecurity Study Guide

Unit 3: Securing Networks

Network Attacks, Firewalls, Segmentation, IDS/IPS & SIEM

📋 Unit 3 Contents

🎯 Learning Objectives

By the end of this unit, you will be able to:

  • Identify common network attacks and protocols that are vulnerable
  • Explain how ARP poisoning and DDoS attacks compromise networks
  • Configure firewall rules and access control lists (ACLs)
  • Implement network segmentation using VLANs and DMZs
  • Describe IDS, IPS, and SIEM systems for network monitoring
  • Analyze network traffic and logs to detect attacks
ARP Poisoning DDoS Firewall ACL VLAN DMZ IDS/IPS SIEM

3.1 Network Vulnerabilities and Attacks

Networks are the backbone of modern organizations, connecting devices, users, and services. This connectivity also creates opportunities for adversaries to intercept, manipulate, or disrupt network traffic.

The OSI Model and Security

The Open Systems Interconnection (OSI) model describes how network communication works in seven layers. Understanding which layer an attack targets helps determine appropriate defenses.

Layer
Name
Security Concerns
7
Application
Phishing, malware, application exploits
6
Presentation
Encryption/decryption attacks
5
Session
Session hijacking
4
Transport
Port scanning, SYN floods
3
Network
IP spoofing, routing attacks
2
Data Link
ARP poisoning, MAC spoofing
1
Physical
Cable tapping, jamming

Common Network Attacks

🔄 ARP Poisoning (ARP Spoofing)

What is ARP? The Address Resolution Protocol maps IP addresses to MAC (hardware) addresses on a local network. Devices broadcast "Who has IP X?" and the owner responds with their MAC address.

The Attack: An adversary sends false ARP responses, associating their MAC address with another device's IP address (often the gateway). Traffic intended for that device flows through the adversary instead.

Impact: Man-in-the-Middle position—adversary can intercept, read, and modify traffic between victims.

ARP Poisoning Attack Flow 
    Normal:                          After ARP Poisoning:
    
    [Victim] ──────► [Gateway]       [Victim] ──► [Attacker] ──► [Gateway]
       │                                  │            │
       └─── Traffic goes directly         └─── Attacker intercepts
                                               and forwards traffic

🌊 DDoS Attack (Distributed Denial of Service)

What it is: Multiple compromised systems (a "botnet") flood a target with traffic, overwhelming its resources and making it unavailable to legitimate users.

Types of DDoS:

  • Volumetric: Flood bandwidth with massive traffic (UDP floods, ICMP floods)
  • Protocol: Exploit protocol weaknesses (SYN floods exhaust connection tables)
  • Application: Target specific services (HTTP request floods)

Impact: Website/service unavailable, loss of revenue, reputation damage.

👃 Packet Sniffing

Adversaries capture network packets to analyze their contents. On unencrypted networks, they can read usernames, passwords, and sensitive data.

Tools: Wireshark, tcpdump are legitimate analysis tools that can also be misused.

🎭 IP Spoofing

Adversary forges the source IP address in packets to disguise their identity or impersonate another system. Often used in DDoS attacks to hide the true source.

🔌 Rogue DHCP Server

Adversary sets up an unauthorized DHCP server that provides malicious network configurations to clients—directing traffic through adversary-controlled systems.

Vulnerable Protocols

Protocol Vulnerability Secure Alternative
HTTP Transmits data in plaintext; can be intercepted HTTPS (HTTP + TLS)
Telnet Sends commands and passwords in plaintext SSH
FTP Credentials sent in plaintext SFTP, FTPS
ARP No authentication; accepts any response Dynamic ARP Inspection, static entries
DNS Responses can be spoofed DNSSEC
⚠️ The Encryption Imperative

Many network attacks rely on intercepting unencrypted traffic. Using encrypted protocols (HTTPS, SSH, VPN) prevents adversaries from reading captured data, even if they successfully perform a Man-in-the-Middle attack.

3.2 Wireless Security & Managerial Controls

Wireless Network Vulnerabilities

Wireless networks broadcast signals that can be captured by anyone within range, making them inherently more vulnerable than wired networks.

Attack Description Mitigation
Evil Twin Fake AP with similar SSID captures user traffic Verify network names; use VPN; employee training
Jamming EM interference prevents legitimate communication Spectrum monitoring; redundant connectivity
War Driving Scanning for vulnerable wireless networks Strong encryption; hidden SSID; signal containment
Deauthentication Force clients to disconnect, capture handshake WPA3; 802.11w management frame protection

Wireless Security Protocols

Protocol Security Level Notes
WEP ❌ Broken Can be cracked in minutes; never use
WPA ⚠️ Weak Improved but still vulnerable; avoid if possible
WPA2 ✓ Good Currently acceptable; use AES encryption
WPA3 ✓ Best Latest standard; enhanced protections

Managerial Controls for Network Security

📋 Acceptable Use Policy (AUP)

Defines how employees can use organization networks and devices:

  • Approved activities and prohibited behaviors
  • Personal device policies (BYOD)
  • Consequences for violations

🔑 Access Control Policy

Specifies who can access what resources:

  • Principle of Least Privilege: Users get minimum access needed
  • Need-to-Know: Access based on job requirements
  • Regular Reviews: Periodic access audits

📡 Wireless Security Policy

Rules for wireless network deployment and use:

  • Approved encryption standards (WPA2/WPA3 only)
  • SSID naming conventions
  • Guest network isolation requirements
  • Rogue access point monitoring

3.3 Network Segmentation

Network Segmentation divides a network into smaller, isolated segments. This limits an adversary's ability to move laterally after gaining access to one segment and protects sensitive resources from general network traffic.

Virtual LANs (VLANs)

VLANs create logical network segments on the same physical infrastructure. Devices on different VLANs cannot communicate directly without going through a router or firewall.

VLAN Segmentation Example 
                    [Internet]
                        │
                    [Firewall]
                        │
                ┌───────┴───────┐
                │    Router     │
                └───────┬───────┘
        ┌───────────────┼───────────────┐
        │               │               │
   [VLAN 10]       [VLAN 20]       [VLAN 30]
   Accounting      Engineering       Guest
   192.168.10.x    192.168.20.x    192.168.30.x
💡 Benefits of VLANs
  • Security: Compromise of one VLAN doesn't automatically affect others
  • Performance: Reduces broadcast traffic within segments
  • Flexibility: Logical grouping independent of physical location
  • Compliance: Isolate systems handling sensitive data (PCI-DSS, HIPAA)

Demilitarized Zone (DMZ)

DMZ (Demilitarized Zone) is a network segment that sits between an organization's internal network and the internet. It hosts public-facing services (web servers, email servers) while protecting internal resources.
DMZ Architecture 
                        [Internet]
                            │
                    ┌───────┴───────┐
                    │ Outer Firewall │  ← Filters incoming traffic
                    └───────┬───────┘
                            │
                    ┌───────┴───────┐
                    │      DMZ      │  ← Web Server, Mail Server, DNS
                    └───────┬───────┘
                            │
                    ┌───────┴───────┐
                    │ Inner Firewall │  ← Protects internal network
                    └───────┬───────┘
                            │
                    ┌───────┴───────┐
                    │ Internal LAN  │  ← Databases, Workstations, Servers
                    └───────────────┘

Why Use a DMZ?

  • If a public server is compromised, the adversary is still separated from internal resources
  • Different firewall rules can apply to DMZ vs. internal traffic
  • Provides defense-in-depth for critical internal systems

Microsegmentation

Modern networks use microsegmentation—creating very granular segments, sometimes down to individual workloads or applications. This limits lateral movement even within what was traditionally a single segment.

✅ Exam Tip

Understand the difference between VLANs (logical segments on same switch), DMZ (buffer zone for public services), and microsegmentation (granular isolation). Know why each is used and what attacks they help prevent.

3.4 Firewalls and Access Control Lists

Firewall: A security device (hardware or software) that monitors and controls network traffic based on predetermined security rules. It creates a barrier between trusted internal networks and untrusted external networks.

Types of Firewalls

Type How It Works Pros/Cons
Packet Filtering Examines packet headers (source/dest IP, ports) Fast but limited; can't inspect content
Stateful Inspection Tracks connection state; understands sessions More intelligent; better security than packet filtering
Application Layer (Proxy) Inspects actual application data Can detect malicious content; higher resource usage
Next-Generation (NGFW) Combines all above + IPS, application awareness Most comprehensive; requires more management

Access Control Lists (ACLs)

ACLs are ordered lists of rules that define which traffic is permitted or denied. They're processed top-to-bottom; the first matching rule is applied.

ACL Components

  • Action: PERMIT or DENY
  • Protocol: TCP, UDP, ICMP, IP, etc.
  • Source: IP address/range of traffic origin
  • Destination: IP address/range of traffic target
  • Port: Service port number (80=HTTP, 443=HTTPS, 22=SSH, etc.)

Example ACL Rules

# Allow HTTPS traffic from any source to web server PERMIT TCP any → 192.168.1.100 port 443 # Allow SSH only from admin subnet PERMIT TCP 10.0.50.0/24 → 192.168.1.0/24 port 22 # Block Telnet from everywhere (insecure) DENY TCP anyany port 23 # Deny all other traffic (implicit deny) DENY IP anyany
⚠️ Implicit Deny

Most firewalls have an implicit deny rule at the end—if traffic doesn't match any explicit permit rule, it's denied. This is a "default deny" security posture. Some configurations make this explicit as the last rule.

Common Port Numbers

Port Protocol Service
20, 21 TCP FTP (data, control)
22 TCP SSH
23 TCP Telnet (insecure)
25 TCP SMTP (email)
53 TCP/UDP DNS
80 TCP HTTP
443 TCP HTTPS
3389 TCP RDP (Remote Desktop)

Firewall Rule Analysis

🔥 Scenario 3A: Evaluating Firewall Rules

Your company's firewall has these rules. Identify any security concerns:

Rule 1: PERMIT TCP any → 192.168.1.10 port 22
Rule 2: PERMIT TCP any → 192.168.1.10 port 80
Rule 3: PERMIT TCP any → 192.168.1.10 port 443
Rule 4: PERMIT TCP any → 192.168.1.10 port 3389
Rule 5: DENY IP any → any
🚨 Security Issues
  • Rule 1: SSH open to "any" source—should be restricted to admin IPs only
  • Rule 4: RDP open to "any"—extremely dangerous; common ransomware entry point. Should require VPN or be restricted to specific IPs

3.5 Detecting Network Attacks

Intrusion Detection Systems (IDS)

Intrusion Detection System (IDS): A system that monitors network traffic or system activities for malicious activity or policy violations and alerts security personnel. An IDS is passive—it detects and reports but doesn't block.

Types of IDS

Type What It Monitors Placement
Network IDS (NIDS) Network traffic on a segment Strategic network points (perimeter, between segments)
Host IDS (HIDS) Activity on a specific host Individual servers or workstations

Detection Methods

Method How It Works Strengths/Weaknesses
Signature-Based Matches traffic against known attack patterns Accurate for known attacks; misses new (zero-day) attacks
Anomaly-Based Learns normal behavior; alerts on deviations Can detect unknown attacks; higher false positive rate
Behavior-Based Analyzes behavior patterns of users/systems Good for insider threats; requires baseline

Intrusion Prevention Systems (IPS)

Intrusion Prevention System (IPS): Similar to IDS but active—can automatically block or prevent detected malicious activity. Positioned inline with traffic flow.

IDS (Detection)

  • Passive monitoring
  • Alerts only
  • No impact on traffic flow
  • Can't stop attacks in progress

IPS (Prevention)

  • Active, inline
  • Blocks malicious traffic
  • Can impact performance
  • Risk of false positive blocks

Security Information and Event Management (SIEM)

SIEM: A platform that collects, aggregates, and analyzes security data from across the organization—logs from firewalls, IDS/IPS, servers, applications, and endpoints. Provides centralized visibility and correlation of security events.

SIEM Capabilities

  • Log Collection: Gathers logs from all security devices and systems
  • Normalization: Converts different log formats to common format
  • Correlation: Links related events across systems to identify attacks
  • Alerting: Notifies security teams of suspicious patterns
  • Dashboards: Visual representation of security posture
  • Forensics: Historical data for incident investigation

Analyzing Network Evidence

📊 Scenario 3B: Log Analysis

Your SIEM alerts you to unusual activity. The firewall log shows:

2025-03-15 02:14:22 DENY TCP 185.43.12.7 → 10.0.1.50:22 
2025-03-15 02:14:23 DENY TCP 185.43.12.7 → 10.0.1.50:22
2025-03-15 02:14:24 DENY TCP 185.43.12.7 → 10.0.1.50:22
[... 847 similar entries over 10 minutes ...]
2025-03-15 02:24:31 PERMIT TCP 185.43.12.7 → 10.0.1.50:22
🚨 Analysis

Indicators of Compromise:

  • 850 attempts to SSH (port 22) from same external IP in 10 minutes
  • Unusual time (2:14 AM)
  • Pattern: Many denies followed by a permit = likely successful brute force
  • Action needed: Investigate the successful connection; check for unauthorized changes; consider blocking the IP; reset credentials
✅ Exam Tip

The AP exam includes questions with network logs and packet captures. Practice identifying: repeated connection attempts (brute force), unusual ports, external IPs accessing internal resources, and timing anomalies. Know the difference between IDS (detect/alert) and IPS (detect/block).

📝 Unit 3 Practice Questions

1 Multiple Choice

An adversary sends false ARP responses to associate their MAC address with the default gateway's IP address. What type of attack is this?

  • A) DDoS attack
  • B) ARP poisoning
  • C) DNS spoofing
  • D) IP fragmentation attack

Answer: B

Explanation: ARP poisoning involves sending false ARP responses to associate the attacker's MAC address with another device's IP (often the gateway). This creates a Man-in-the-Middle position where all traffic flows through the attacker.

2 Multiple Choice

What is the PRIMARY difference between an IDS and an IPS?

  • A) IDS monitors networks; IPS monitors hosts
  • B) IDS uses signatures; IPS uses anomaly detection
  • C) IDS alerts on threats; IPS can block threats
  • D) IDS is hardware; IPS is software

Answer: C

Explanation: The key difference is that IDS is passive (detects and alerts) while IPS is active (can block malicious traffic). Both can use signature or anomaly detection, and both can be network or host-based.

3 Multiple Choice

A company wants to host a public web server while protecting its internal database server. Which network architecture should they implement?

  • A) Place both servers on the same VLAN
  • B) Place the web server in a DMZ
  • C) Use a single firewall with no segmentation
  • D) Connect the web server directly to the internet without a firewall

Answer: B

Explanation: A DMZ is designed exactly for this purpose—hosting public-facing services while protecting internal resources. The web server sits between two firewalls; even if compromised, the attacker must breach another firewall to reach the database.

4 Multiple Choice

Which firewall rule would allow HTTPS traffic to a web server at 10.0.1.100?

  • A) PERMIT TCP any → 10.0.1.100 port 80
  • B) PERMIT TCP any → 10.0.1.100 port 443
  • C) PERMIT UDP any → 10.0.1.100 port 443
  • D) PERMIT TCP any → 10.0.1.100 port 22

Answer: B

Explanation: HTTPS uses TCP port 443. Port 80 is HTTP (unencrypted), port 22 is SSH, and HTTPS does not use UDP.

5 Multiple Choice

What is the purpose of a SIEM system?

  • A) To encrypt network traffic between sites
  • B) To block malicious traffic at the network perimeter
  • C) To collect and correlate security events from multiple sources
  • D) To segment the network into VLANs

Answer: C

Explanation: A SIEM (Security Information and Event Management) collects logs from firewalls, IDS/IPS, servers, and other sources, then correlates events to identify security incidents. It provides centralized visibility across the organization.

6 Multiple Choice

Which wireless security protocol should NEVER be used because it can be cracked in minutes?

  • A) WPA3
  • B) WPA2
  • C) WPA
  • D) WEP

Answer: D

Explanation: WEP (Wired Equivalent Privacy) has fundamental cryptographic weaknesses and can be cracked in minutes with freely available tools. Always use WPA2 or preferably WPA3.

7 Free Response

A company's network has a single flat network where all devices—employee workstations, servers, IoT devices, and guest devices—share the same network segment.

(a) Identify TWO security risks of this flat network design.

(b) Recommend a network segmentation strategy and explain how it addresses each risk.

(c) Describe what firewall rules would be needed between segments.

Sample Response:

(a) Security Risks:

1. Lateral movement: If any device is compromised (especially vulnerable IoT devices), the attacker can easily access all other devices including sensitive servers.

2. Guest access to internal resources: Guest devices on the same segment can potentially access internal servers and workstations.

(b) Segmentation Strategy:

Implement VLANs to separate: (1) Servers, (2) Employee workstations, (3) IoT devices, (4) Guest network.

This addresses the risks because traffic between VLANs must pass through a router/firewall where it can be inspected and controlled. A compromised IoT device cannot directly access the server VLAN.

(c) Firewall Rules:

  • PERMIT employee VLAN → server VLAN on required ports only
  • DENY IoT VLAN → server VLAN (IoT devices don't need server access)
  • DENY guest VLAN → all internal VLANs
  • PERMIT guest VLAN → internet only
  • Implicit DENY all other inter-VLAN traffic
8 Free Response

Analyze the following firewall log excerpt and answer the questions below:

14:22:01 PERMIT TCP 10.0.5.22 → 10.0.1.10:443
14:22:15 DENY TCP 203.45.67.89 → 10.0.1.10:3389
14:22:16 DENY TCP 203.45.67.89 → 10.0.1.10:3389
14:22:17 DENY TCP 203.45.67.89 → 10.0.1.10:3389
[... pattern continues 200 times ...]
14:25:33 PERMIT TCP 203.45.67.89 → 10.0.1.10:3389

(a) What type of attack does this log suggest?

(b) What service was being targeted and why is this concerning?

(c) What does the final PERMIT entry indicate?

(d) What immediate actions should be taken?

Sample Response:

(a) This log suggests a brute force password attack. The pattern of hundreds of rapid connection attempts from the same external IP followed by a successful connection is characteristic of credential guessing.

(b) Port 3389 is RDP (Remote Desktop Protocol). This is extremely concerning because RDP provides full remote control of the system. It's a common target for ransomware attacks—once attackers gain RDP access, they can deploy ransomware across the network.

(c) The final PERMIT entry indicates the attacker successfully authenticated—they guessed the correct password after 200+ attempts. The system has been compromised.

(d) Immediate actions:

  • Disconnect the compromised system (10.0.1.10) from the network
  • Block the attacker's IP (203.45.67.89) at the firewall
  • Change all passwords for accounts on that system
  • Check for malware, unauthorized changes, or lateral movement
  • Review why RDP was accessible from external IPs—should require VPN
  • Implement account lockout policy to prevent future brute force attacks

AP Cybersecurity Study Guide | APCSExamPrep.com

AP® is a registered trademark of the College Board.

Contact form