AP exam review verified for 2027

AP Cybersecurity Unit 3 Review: Securing Networks

Review AP Cybersecurity Unit 3 to understand how networks are attacked and how defenders protect them. This unit covers ARP poisoning, DoS attacks, firewalls, network segmentation, and detection tools like NIDS, NIPS, and SIEM.

Use the topic guides, key terms, and practice questions available for every topic in this unit to build a complete picture of network security.

What is AP Cybersecurity unit 3?

Networks connect devices and move data, which creates opportunities for adversaries to intercept, redirect, or flood that traffic. Unit 3 builds a complete picture of how those attacks work and what defenders do to stop them.

Unit 3 is about securing the network layer: identifying how attacks like ARP poisoning and DoS work, applying managerial controls and wireless settings, segmenting networks into isolated zones, configuring firewalls with ACL rules, and using NIDS, NIPS, and SIEM to detect attacks in log data.

How networks get attacked

Adversaries exploit protocols like ARP and DNS to redirect traffic, flood switches with fake MAC addresses, or launch DoS attacks that overwhelm a network. Understanding the mechanism of each attack is the foundation for choosing the right defense.

How defenders structure a network

Segmentation divides a network into isolated zones using screened subnets (DMZs), IP subnetting, and VLANs. Firewalls sit at each boundary and enforce ACL rules that permit or deny traffic based on IP address, port, protocol, or application.

How attacks are detected

NIDS alerts on suspicious traffic, NIPS can block it automatically, and SIEM aggregates log data from across the network. Detection methods trade off speed, cost, and false positive rate depending on whether they use signature-based or anomaly-based approaches.

Defense in depth across the network

No single control secures a network. Unit 3 shows how managerial policies, physical and wireless controls, segmentation, firewall rules, and detection tools layer together so that a failure in one layer does not expose the entire network.

AP Cybersecurity unit 3 topics

3.1

Network Vulnerabilities and Attacks

Covers ARP poisoning, MAC spoofing, MAC flooding, DNS poisoning, and DoS attacks. Includes how to assess vulnerability risk using the CIA triad and automated vulnerability scanners.

open guide
3.2

Protecting Networks: Managerial Controls and Wireless Security

Covers router, switch, and VPN security policies as managerial controls, plus wireless access point settings: disabling beacon frames, controlling signal strength, requiring WPA3, and enabling MAC filtering.

open guide
3.3

Protecting Networks: Segmentation

Covers screened subnets (DMZs), IP subnetting, VLANs, and port security. Explains how segmentation isolates breaches, enables differentiated security policies, and limits lateral movement.

open guide
3.4

Protecting Networks: Firewalls

Covers stateless, stateful, and next-generation firewalls; ACL rule structure and order; firewall placement at segment boundaries and internet ingress/egress points; and writing permit/deny rules.

open guide
3.5

Detecting Network Attacks

Covers NIDS, NIPS, and SIEM tools; AI-based threat detection and alert thresholds; signature-based vs. anomaly-based vs. hybrid detection trade-offs; and identifying ARP poisoning, MAC flooding, and evil-twin attacks in log files.

open guide

Unit 3 review notes

3.1

Network Vulnerabi­lities and Attacks

Adversaries exploit network protocols to intercept data, disrupt services, or move laterally across a LAN. ARP poisoning is the core on-path attack: the adversary sends falsified ARP packets to the default gateway, linking the target's IP address to the adversary's MAC address so traffic is rerouted through the adversary's device. MAC flooding overwhelms a switch's MAC address table with fake entries, forcing it to broadcast all traffic. DNS poisoning redirects users to malicious sites by corrupting DNS records. DoS attacks flood a network with traffic to deny service to legitimate users. Vulnerability scanners can assess these risks and produce reports with severity ratings and mitigation recommendations.

  • ARP poisoning: Adversary sends falsified ARP packets to link the target's IP to the adversary's MAC address, rerouting traffic through the adversary (an on-path or man-in-the-middle attack).
  • MAC spoofing: Faking a MAC address to impersonate a legitimate device on the network.
  • MAC flooding: Sending large numbers of frames with different MAC addresses to overflow a switch's MAC table, causing it to broadcast all traffic.
  • DoS attack: Flooding a network or device with traffic to exhaust resources and deny service to legitimate users.
  • Lateral movement: After compromising one device, an adversary uses that access to attack other devices on the same LAN.
Can you explain step by step how an ARP poisoning attack works, and identify which part of the CIA triad each major network attack threatens?
AttackMechanismCIA Impact
ARP poisoningFalsified ARP packets redirect traffic to adversaryConfidentiality, Integrity
MAC floodingOverflow switch MAC table to force broadcastConfidentiality
DoSFlood network to exhaust resourcesAvailability
DNS poisoningCorrupt DNS records to redirect usersIntegrity, Confidentiality
MAC spoofingFake MAC address to impersonate a deviceConfidentiality, Integrity
3.2

Managerial Controls and Wireless Security

Managerial controls are written policies that set minimum configuration standards for network devices. A router security policy bans local user accounts, disables unnecessary services like Telnet, and requires a firewall. A switch security policy requires port security and MAC filtering. A VPN policy defines which roles can use a VPN and what authentication is required. For wireless, organizations disable beacon frame broadcasting to hide the network's SSID, control signal strength so the signal does not extend beyond the physical space, require WPA3 encryption (WEP, WPS, and original WPA are insecure), and enforce MAC filtering and user authentication on wireless access points.

  • Router security policy: Minimum configuration standard requiring approved authentication servers, disabling Telnet, and mandating a firewall.
  • Switch security policy: Requires port security and MAC filtering to prevent unauthorized device access.
  • VPN policy: Defines roles, authentication requirements, and minimum security settings for remote access to the internal network.
  • WPA3: Currently the strongest wireless encryption protocol; WEP, WPS, and original WPA have known vulnerabilities and should not be used.
  • Beacon frame broadcasting: WAPs broadcast beacon frames to announce the network; disabling this makes the network harder for adversaries to discover.
What specific settings would you configure on a wireless access point to reduce the risk of an adversary outside the building connecting to the network?
Wireless ProtocolSecurity Status
WEPInsecure - known vulnerabilities
WPSInsecure - known vulnerabilities
WPA (original)Insecure - known vulnerabilities
WPA2Acceptable but aging
WPA3Currently strongest - recommended
3.3

Network Segmentation

Network segmentation divides one large network into smaller, isolated zones so that a breach in one segment cannot spread freely to others. A screened subnet (DMZ) sits between the public internet and the internal private network, holding publicly facing resources like web servers while keeping them separated from internal systems. Subnetting uses IP addressing to create distinct subnets, containing breaches to a smaller number of devices. VLANs use switches to logically separate devices that are physically connected to the same hardware. Port security on switches limits the number of MAC addresses per port, preventing MAC flooding. Different segments can have different security policies applied independently.

  • Screened subnet (DMZ): A network zone between the public internet and the internal network that holds publicly facing resources at a lower security level than internal systems.
  • Subnetting: Dividing a network using IP addressing to create isolated subnets that contain breaches and limit lateral movement.
  • VLAN: A logical network segment created on a switch that separates devices without requiring separate physical hardware.
  • Port security: A switch setting that limits the number of MAC addresses allowed on a single port, preventing MAC flooding.
  • Network segmentation: The practice of dividing a network into smaller isolated segments to limit the spread of attacks and apply differentiated security policies.
Draw a simple network diagram showing where a screened subnet sits relative to the internet and the internal network, and explain what types of servers belong in each zone.
Segmentation MethodHow It WorksPrimary Benefit
Screened subnet (DMZ)Firewall zones separate public-facing and internal segmentsIsolates public resources from internal network
SubnettingIP addressing creates distinct address rangesContains breaches to fewer devices
VLANSwitch-level logical separationSegments devices on shared physical hardware
3.4

Firewalls and Access Control Lists

A firewall permits or denies network traffic using a set of rules called an access control list (ACL). Stateless firewalls filter based on packet header information only: IP address, port, and protocol. Stateful firewalls also track the state of active connections, allowing more precise control. Next-generation firewalls (NGFWs) add deep packet inspection, intrusion prevention, and application-layer filtering. ACL rules are checked in order and the first matching rule is applied, so rule order matters. Each network segment and each ingress or egress point between the internal network and the internet should have a firewall. A typical ACL rule specifies direction (inbound or outbound), filter criteria (IP, port, protocol, or application), and action (permit or deny). For example: Allow inbound TCP port 22 from ALL permits SSH traffic; Deny inbound TCP port 80 from 192.168.1.0/24 blocks HTTP from that subnet.

  • Stateless firewall: Filters traffic using packet header fields only: source and destination IP, port, and protocol.
  • Stateful firewall: Tracks connection state in addition to header filtering, enabling connection-aware rules.
  • Next-generation firewall (NGFW): Combines stateless and stateful filtering with deep packet inspection, intrusion prevention, and application-layer awareness.
  • Access control list (ACL): An ordered list of rules a firewall uses to permit or deny traffic; the first matching rule is executed.
  • Rule order: ACL rules are evaluated top to bottom; changing the order changes which traffic is allowed or denied, so precedence must be planned carefully.
Given a set of ACL rules, can you trace a specific packet through the list and determine whether it is permitted or denied, and explain why rule order matters?
Firewall TypeFiltering BasisAdditional Capabilities
StatelessPacket headers (IP, port, protocol)None beyond header fields
StatefulHeaders plus connection stateConnection-aware rules
NGFWHeaders, state, and payloadDeep packet inspection, intrusion prevention, app filtering
3.5

Detecting Network Attacks

Detection tools analyze log data from switches, routers, firewalls, and user devices to find indicators of compromise (IoCs). A NIDS monitors network traffic and generates alerts when it detects malicious activity. A NIPS does the same but can also respond automatically by closing ports, blocking IP or MAC addresses, or rejecting protocols. A SIEM aggregates and correlates data from multiple sources across the network. AI-based detection algorithms classify traffic patterns as malicious or normal using probabilistic scoring; organizations set their own alert thresholds, balancing missed attacks against alert fatigue. Signature-based detection compares traffic to a database of known IoCs and is fast with low false positives but misses novel attacks. Anomaly-based detection compares traffic to a baseline and catches new attacks but produces more false positives and requires more expensive hardware. Hybrid detection combines both methods at the highest cost. Specific attacks have specific log signatures: ARP poisoning shows duplicate MAC address ARP packets; MAC flooding shows a surge of Ethernet frames with different MACs; evil-twin attacks appear as suspicious SSIDs near legitimate ones.

  • NIDS: Network intrusion detection system: monitors traffic and generates alerts on detected malicious activity but does not block it.
  • NIPS: Network intrusion prevention system: detects malicious activity and can automatically block it by closing ports or rejecting protocols.
  • SIEM: Security information and event management: aggregates and correlates log data from multiple network sources for centralized analysis.
  • Signature-based detection: Compares traffic to a database of known IoC signatures; fast and low false positives but cannot detect novel attacks.
  • Anomaly-based detection: Compares traffic to a recorded baseline; detects new attacks but produces more false positives and requires more processing power.
For a network with high, consistent traffic volume and a tight budget, which detection method would you recommend and why? What trade-offs does that choice involve?
Detection MethodBest ForFalse PositivesCost
Signature-basedHigh traffic volume, known attacksVery lowLower
Anomaly-basedConsistent traffic patterns, novel attacksHigherHigher
HybridComprehensive coverageModerate to highHighest

Practice AP Cybersecurity unit 3 questions

Try AP-style multiple-choice questions and written prompts after you review the notes.

Example AP-style MCQs

open all practice
MCQ

AP-style practice question

Question

A firewall's access control list (ACL) contains the following rules in order: Rule 1 — ALLOW inbound TCP port 80 from ALL; Rule 2 — ALLOW inbound TCP port 443 from ALL; Rule 3 — DENY inbound TCP ALL from ALL. A packet arrives that is inbound TCP traffic destined for port 25 from an external IP address. What action does the firewall take?

The packet is denied by Rule 3 after failing to match Rules 1 and 2, which only permit ports 80 and 443.

The packet is allowed by Rule 1 because port 25 traffic is inbound TCP and Rule 1 permits all inbound TCP connections.

The packet is denied by Rule 1 because the ACL blocks any port not explicitly listed in the first matching rule.

The packet is allowed by default because no rule explicitly denies inbound TCP port 25 traffic from external sources.

MCQ

AP-style practice question

Question

A security analyst reviewing logs notices that ransomware has encrypted all files on devices in the HR subnet but finds no evidence of infection on devices in the finance or engineering subnets. Which characteristic of the network architecture most directly explains why the ransomware was contained to the HR subnet?

The network was divided into isolated subnets that prevented the ransomware from spreading across subnet boundaries to other departments.

The HR subnet used stronger antivirus software than the finance and engineering subnets, blocking lateral movement across all departments.

The ransomware was programmed to target only HR file types, so it naturally avoided devices in finance and engineering subnets.

Port security on the HR subnet's switch limited the number of MAC addresses per port, which blocked the ransomware from reaching other subnets.

Key terms

TermDefinition
firewallSoftware or hardware that permits or denies network traffic based on an ordered set of ACL rules; can be standalone or integrated into a router.
DMZA screened subnet between the public internet and the internal private network that holds publicly facing resources at a lower security level.
screened subnetA network segment created by firewall zones that separates public-facing servers from the internal network; also called a DMZ.
network segmentationDividing a network into smaller isolated zones so a breach in one segment cannot spread freely to others.
VLANA logical network segment created on a switch that separates devices without requiring separate physical hardware.
subnettingUsing IP addressing to divide a network into distinct subnets, limiting how far a breach can spread.
MAC floodingSending large numbers of Ethernet frames with different MAC addresses to overflow a switch's MAC table, forcing it to broadcast all traffic.
MAC spoofingFaking a MAC address to impersonate a legitimate device on a network, often used in ARP poisoning or to bypass MAC filtering.
DoS attackA denial-of-service attack that floods a network or device with traffic to exhaust resources and block legitimate users.
signature-based detectionCompares network traffic to a database of known IoC signatures; fast with very low false positives but cannot detect novel attacks.
anomaly-based detectionCompares traffic to a recorded baseline of normal activity; detects new attacks but produces more false positives and requires more processing resources.
indicator of compromiseEvidence in network traffic or log data that suggests malicious activity has occurred or is in progress.
port securityA switch setting that limits the number of MAC addresses allowed on a single port, preventing MAC flooding.
virtual private networkAn encrypted tunnel that allows remote users to access an organization's internal network securely over the public internet.
false positiveA detection alert triggered by legitimate traffic that is incorrectly classified as malicious; high rates cause alert fatigue.

Common unit 3 mistakes

Confusing NIDS and NIPS roles

A NIDS only detects and alerts; it does not block traffic. A NIPS can both detect and respond by closing ports or blocking addresses. Students often say NIDS blocks attacks, which is incorrect.

Assuming ACL rule order does not matter

Firewalls apply the first matching ACL rule and stop checking. If a broad permit rule appears before a specific deny rule, the deny rule never executes. Rule order is a core configuration skill in Topic 3.4.

Mixing up signature-based and anomaly-based detection trade-offs

Signature-based detection is faster and has almost no false positives but cannot catch novel attacks. Anomaly-based detection catches new attacks but produces more false positives and costs more. Students frequently reverse these properties.

Treating a DMZ as the internal network

A screened subnet (DMZ) is a lower-security zone that holds publicly facing resources. It is not part of the internal private network. Placing sensitive internal systems in the DMZ removes the protection segmentation is designed to provide.

Thinking MAC filtering alone secures a wireless network

MAC filtering can be bypassed through MAC spoofing. It is one layer of wireless defense, not a complete solution. Strong encryption like WPA3 and user authentication are also required.

How this unit shows up on the AP exam

Scenario-based attack identification

Expect questions that describe network behavior (for example, a default gateway receiving unexpected ARP packets, or a switch broadcasting all traffic) and ask you to identify the attack type, explain the mechanism, and name the CIA triad component at risk. Being able to trace an attack step by step is more useful than memorizing a definition.

Firewall rule analysis and configuration

Questions may present a set of ACL rules and ask you to determine whether a specific packet is permitted or denied, or to identify a misconfiguration caused by rule order. You may also be asked to write a rule that meets a stated requirement, such as allowing SSH from all sources or blocking HTTP from a specific subnet.

Comparing and selecting security controls

Questions may describe an organization's network conditions (traffic volume, budget, sensitivity of data, likelihood of novel attacks) and ask you to select and justify a detection method or segmentation approach. Knowing the trade-offs between signature-based and anomaly-based detection, or between a DMZ and a VLAN, lets you reason through these comparisons rather than guess.

Final unit 3 review checklist

  • Explain each major network attackBe able to describe the mechanism of ARP poisoning, MAC flooding, MAC spoofing, DNS poisoning, and DoS attacks, including which CIA triad component each threatens.
  • Identify managerial controls for routers, switches, and VPNsKnow what a router security policy, switch security policy, and VPN policy each require, and explain why disabling Telnet or requiring port security reduces risk.
  • Configure wireless access point securityKnow why WPA3 is required, why beacon frame broadcasting should be disabled, and how signal strength control and MAC filtering reduce wireless attack surface.
  • Explain segmentation techniques and their benefitsDistinguish between screened subnets, subnetting, and VLANs. Explain how each limits lateral movement and allows differentiated security policies across zones.
  • Read and write firewall ACL rulesGiven a set of ACL rules, trace a packet and determine the outcome. Know the difference between stateless, stateful, and next-generation firewalls and when each applies.
  • Compare detection methodsExplain the trade-offs between signature-based, anomaly-based, and hybrid detection in terms of speed, cost, false positive rate, and ability to detect novel attacks.
  • Identify attack indicators in log dataKnow what log evidence indicates ARP poisoning (duplicate MAC ARP packets), MAC flooding (surge of Ethernet frames with different MACs), and evil-twin attacks (suspicious SSIDs).

How to study unit 3

Start with network attacks (Topic 3.1)Read the Topic 3.1 guide and map each attack (ARP poisoning, MAC flooding, DNS poisoning, DoS) to its mechanism and CIA triad impact. Use the key terms for ARP, MAC address, and DoS attack to lock in the vocabulary before moving to defenses.
Review managerial controls and wireless settings (Topic 3.2)Go through the Topic 3.2 guide and list the specific requirements in each policy type (router, switch, VPN). Then focus on wireless: write out why each WAP setting (beacon frames, signal strength, WPA3, MAC filtering) addresses a specific attack from Topic 3.1.
Work through segmentation concepts (Topic 3.3)Use the Topic 3.3 guide to sketch a network diagram with a screened subnet, an internal subnet, and a VLAN. Label where each segmentation method applies and what attack it limits. Practice explaining why port security prevents MAC flooding.
Practice firewall ACL rules (Topic 3.4)Read the Topic 3.4 guide, then write five ACL rules using the format from the essential knowledge examples (direction, filter criteria, action). Swap the order of two rules and explain how the outcome changes. Use the practice questions available for this topic to test your rule-reading skill.
Compare detection methods and analyze log indicators (Topic 3.5)Use the Topic 3.5 guide to build a comparison of signature-based, anomaly-based, and hybrid detection across speed, cost, and false positive rate. Then review the log indicators for ARP poisoning, MAC flooding, and evil-twin attacks so you can identify them from a description of network log data.

More ways to review

Topic study guides

Open the individual guides for Unit 3 when you want a closer review of one topic.

browse guides

Frequently Asked Questions

What topics are covered in AP Cyber Unit 3?

AP Cyber Unit 3: Securing Networks covers 5 topics: Network Vulnerabilities and Attacks (3.1), Protecting Networks with Managerial Controls and Wireless Security (3.2), Network Segmentation (3.3), Firewalls (3.4), and Detecting Network Attacks (3.5). The unit focuses on how data is protected in transit and how defenders identify and stop network threats. See the full topic breakdown at /ap-cybersecurity/unit-3.

What's on the AP Cyber Unit 3 progress check (MCQ and FRQ)?

The AP Cyber Unit 3 progress check pulls questions from all 5 topics in Securing Networks: network vulnerabilities and attacks, wireless security, segmentation, firewall configuration, and detecting network attacks using log analysis. The MCQ part tests conceptual knowledge, while the FRQ part asks you to apply defensive strategies to realistic scenarios. For matched practice aligned to these topics, visit /ap-cybersecurity/unit-3.

How do I practice AP Cyber Unit 3 FRQs?

AP Cyber Unit 3 FRQs typically ask you to analyze a network scenario and recommend defensive measures, such as where to place a firewall, how to segment a network, or how to interpret log files for indicators of compromise (IoCs). Topics 3.3, 3.4, and 3.5 are the most common sources for these scenario-based questions. To practice, write out your reasoning in full sentences, justify each recommendation with a specific concept like segmentation or packet filtering, and check your logic against the topic objectives at /ap-cybersecurity/unit-3.

Where can I find AP Cyber Unit 3 practice questions?

The best place to find AP Cyber Unit 3 practice questions, including multiple-choice and practice test sets, is /ap-cybersecurity/unit-3. You'll find MCQs covering network vulnerabilities, wireless security, firewalls, and log-based detection, organized by topic so you can target exactly where you need more work.

How should I study AP Cyber Unit 3?

Start AP Cyber Unit 3 by building a clear picture of how network attacks work (3.1) before moving into defenses. Study each protective layer in order: managerial controls and wireless security (3.2), then segmentation (3.3), then firewalls (3.4). Finish with log analysis and indicators of compromise in 3.5, since detecting attacks ties everything together. A few concrete steps that help: - Draw network diagrams showing where firewalls and segments go. - Practice reading sample log files and flagging suspicious patterns. - For each attack type in 3.1, write one sentence describing the matching defense. - Test yourself with MCQs at /ap-cybersecurity/unit-3 after each topic, not just at the end.

Ready to review Unit 3?Start with the notes, check the topic cards, and use the practice or resource links when they are available for this course.