Network diagrams show you where devices sit, how traffic flows, and where defenders draw trust boundaries. This guide teaches you how to read those diagrams the way the AP Cybersecurity course expects: not as labeled pictures, but as evidence about risk, controls, and attack paths. You will learn to spot firewall placement, segmentation choices, DMZs, device roles, and the boundaries that separate trusted zones from untrusted ones.
Where Network Diagrams Show Up
Network diagrams live mostly in Unit 3, Securing Networks. Topic 3.3 covers segmentation, Topic 3.4 covers firewalls and their placement, and Scenario 3A asks you to place and configure two firewalls around a hospital web server and an internal file server. Scenario 3C asks you to recommend security features for three separate submarine LANs and demonstrate them on a diagram.
Diagram reading connects directly to the assessed skills. You use Skill Category 1 to identify vulnerabilities in a layout, Skill Category 2 to place controls like firewalls and segmentation, and Skill Category 3 to reason about where monitoring should sit. On the exam, multiple-choice items can present firewall ACLs or topology context, and the free-response Device Security Analysis can include firewall configurations you must interpret against the device and its traffic.
The Core Elements to Read
When a diagram appears, scan for these pieces before answering anything.
| Element | What to look for | Why it matters |
|---|---|---|
| Device roles | Web server, file server, DNS, switch, router, default gateway | Public-facing servers carry different risk than internal-only servers |
| Trust boundaries | The line between internet, DMZ, and internal LAN | Defines what counts as untrusted traffic crossing in |
| Firewall placement | Edge firewall vs internal firewall | Controls which traffic is filtered at which boundary |
| Segmentation | Separate LANs, VLANs, isolated zones | Limits how far an adversary can move after compromise |
| Traffic paths | Arrows or links showing data flow | Tells you which links an attack must traverse |
Device role drives almost everything. A web server that patients reach from the internet must accept inbound traffic, so it belongs where external connections are expected. A file server holding patient records should only be reachable from inside, so it sits behind an internal boundary.
DMZs and Trust Boundaries
A DMZ is a zone for public-facing services that sits between the untrusted internet and the trusted internal network. Putting a web server in a DMZ lets outside users reach it while keeping them from touching the internal LAN directly.
Think of trust boundaries as the lines where filtering decisions happen. Each time traffic crosses a boundary, a firewall should evaluate it. In Scenario 3A, Firewall A sits between the internet and the public web server so external traffic can reach the web app while nonrelevant traffic is blocked. Firewall B sits between the internal network and the file server so only internal employees can reach patient records.
A Workflow for Reading Any Diagram
Use this sequence so you do not miss the placement logic.
- Label every device by role and by who needs to reach it. Mark each as internet-facing or internal-only.
- Trace each required traffic path from source to destination. Note every boundary the path crosses.
- Identify trust zones. Group the internet, any DMZ, and internal LANs.
- Check firewall placement against the boundaries. Every boundary that separates a trust level should have filtering.
- Map vulnerabilities. Ask where untrusted traffic reaches sensitive assets without a control in between.
- Propose or evaluate controls. Place firewalls, add segmentation, or move a server to the correct zone.
Worked Mini-Example
Imagine a diagram like Scenario 3A: the internet connects to a router, the router connects to a switch, and both a public web server and an internal file server hang off that switch with no firewalls yet.
First, label roles. The web server is internet-facing because patients book appointments on it. The file server is internal-only because it holds patient records. Both currently sit on the same segment with no filtering, so anything that reaches the web server can also reach the file server.
That shared segment is the vulnerability. An adversary who compromises the web server has a direct path to patient records because there is no boundary between them.
Now place controls. Put Firewall A at the internet edge so external traffic can reach the web server on its web ports while other inbound traffic is denied. Put Firewall B in front of the file server so only internal employee traffic is allowed and external sources are blocked. The web server effectively moves into a DMZ, and the file server moves behind an internal boundary. Segmenting them means compromising the web server no longer hands the adversary the records.
Connecting Layout to Firewall Rules
A firewall enforces an access control list, which allows or denies traffic based on attributes like source, destination, and port. The diagram tells you what the rules should say. If the web server only needs to serve a web app, the ACL on Firewall A should permit the web traffic and deny the rest.
When you read an ACL on the exam, line it up against the diagram. Ask whether the allowed traffic matches the device's legitimate purpose, and whether any rule lets untrusted sources reach an internal asset they should never touch. A rule allowing inbound traffic to the file server from the internet is a clear finding because the diagram shows that server should be internal-only.
Layout as Evidence in Scenarios
The course wants you to connect diagrams to risk, controls, and evidence. A poorly segmented layout is evidence of high risk because one compromise spreads easily. A firewall placed at every trust boundary is evidence of layered, defense-in-depth controls.
Diagrams also tell you where detection should sit. If all internet traffic funnels through one edge link, that link is a strong spot to monitor for indicators of network attacks. When you justify a monitoring recommendation, cite the specific path or boundary on the diagram rather than speaking generally.
Common Mistakes to Avoid
Do not assume a labeled firewall is placed correctly. Check whether it actually sits on the boundary between the trust levels you care about. A firewall behind both servers protects neither boundary you need.
Do not treat all servers as equal. The single most important distinction is internet-facing versus internal-only, and missing it leads to wrong placement answers.
Do not ignore lateral movement. Two servers on the same segment can reach each other even if both are behind an edge firewall. Internal segmentation is what stops one compromise from becoming many.
Do not write firewall rules that contradict the diagram. If a server should never accept external connections, an ACL allowing that is the finding, not the fix.
Finally, do not stop at identifying the problem. Scenarios expect you to determine placement, describe the effect of a change, and explain your reasoning using the layout in front of you.
Frequently Asked Questions
How do I decide where to place a firewall on a network diagram?
Place a firewall on every trust boundary, meaning anywhere traffic crosses between a less trusted zone and a more trusted one. Put an edge firewall between the internet and a public-facing server, and an internal firewall in front of any internal-only asset like a file server.
What is a DMZ and why does it appear in network diagrams?
A DMZ is a zone for public-facing services that sits between the untrusted internet and the trusted internal network. Putting a web server in a DMZ lets outside users reach it while keeping them from touching internal systems directly.
How does network segmentation reduce risk in a diagram?
Segmentation splits a network into separate zones or LANs so a compromise in one zone does not spread to others. Without segmentation, two servers on the same segment can reach each other, so compromising a web server hands an adversary a direct path to a file server.
How do firewall ACLs connect to the network diagram on the exam?
The diagram tells you what an access control list should allow or deny. Compare each ACL rule against the device's legitimate purpose and its trust zone.