---
title: "AP Cybersecurity Unit 3 Review: Networks | Fiveable"
description: "Review AP Cybersecurity Unit 3: network attacks, wireless security, managerial controls, segmentation, firewalls, and detecting network threats."
canonical: "https://fiveable.me/ap-cybersecurity/unit-3"
type: "unit"
subject: "AP Cybersecurity"
unit: "Unit 3 – Securing Networks"
---

# AP Cybersecurity Unit 3 Review: Networks | Fiveable

## Overview

Unit 3 focuses on the security of data in transit across networks. Students learn how adversaries exploit network protocols through attacks like ARP poisoning, MAC flooding, and DNS poisoning, then study the defenses: managerial policies, wireless security settings, network segmentation with DMZs and VLANs, firewall types and ACL rule configuration, and automated detection tools that analyze log files for indicators of compromise.

## AP CED Alignment

This unit hub is organized around AP Course and Exam Description topics, skills, and exam task types when they are available in the source data.
- Topic 3.1: Network Vulnerabilities and Attacks
- Topic 3.2: Protecting Networks: Managerial Controls and Wireless Security
- Topic 3.3: Protecting Networks: Segmentation
- Topic 3.4: Protecting Networks: Firewalls
- Topic 3.5: Detecting Network Attacks
- Topic 3.2: Managerial Controls and Wireless Security
- Topic 3.3: Network Segmentation
- Topic 3.4: Firewalls and Access Control Lists
- Skill Category 3 - Detect Attacks
- Skill Category 1 - Analyze Risk

## Topics

- [Topic 3.1: Network Vulnerabilities and Attacks](/ap-cybersecurity/unit-3/network-vulnerabilities-and-attacks/study-guide/9lJpNM0eCHQ1M3XgFL97): Covers ARP poisoning, MAC spoofing, MAC flooding, DNS poisoning, and DoS attacks. Includes how to assess vulnerability risk using the CIA triad and automated vulnerability scanners.
- [Topic 3.2: Protecting Networks: Managerial Controls and Wireless Security](/ap-cybersecurity/unit-3/protecting-networks-managerial-controls-and-wireless-security/study-guide/aihx7DE7KUuSOsZ3dgwk): Covers router, switch, and VPN security policies as managerial controls, plus wireless access point settings: disabling beacon frames, controlling signal strength, requiring WPA3, and enabling MAC filtering.
- [Topic 3.3: Protecting Networks: Segmentation](/ap-cybersecurity/unit-3/protecting-networks-segmentation/study-guide/aN5LZLgHojJwIT4AvjWS): Covers screened subnets (DMZs), IP subnetting, VLANs, and port security. Explains how segmentation isolates breaches, enables differentiated security policies, and limits lateral movement.
- [Topic 3.4: Protecting Networks: Firewalls](/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa): Covers stateless, stateful, and next-generation firewalls; ACL rule structure and order; firewall placement at segment boundaries and internet ingress/egress points; and writing permit/deny rules.
- [Topic 3.5: Detecting Network Attacks](/ap-cybersecurity/unit-3/detecting-network-attacks/study-guide/5kYH3dgJpqFp57SUnjEX): Covers NIDS, NIPS, and SIEM tools; AI-based threat detection and alert thresholds; signature-based vs. anomaly-based vs. hybrid detection trade-offs; and identifying ARP poisoning, MAC flooding, and evil-twin attacks in log files.

## Review Notes

### Topic 3.1: Network Vulnerabilities and Attacks

Adversaries exploit network protocols to intercept data, disrupt services, or move laterally across a LAN. ARP poisoning is the core on-path attack: the adversary sends falsified ARP packets to the default gateway, linking the target's IP address to the adversary's MAC address so traffic is rerouted through the adversary's device. MAC flooding overwhelms a switch's MAC address table with fake entries, forcing it to broadcast all traffic. DNS poisoning redirects users to malicious sites by corrupting DNS records. DoS attacks flood a network with traffic to deny service to legitimate users. Vulnerability scanners can assess these risks and produce reports with severity ratings and mitigation recommendations.

- **ARP poisoning**: Adversary sends falsified ARP packets to link the target's IP to the adversary's MAC address, rerouting traffic through the adversary (an on-path or man-in-the-middle attack).
- **MAC spoofing**: Faking a MAC address to impersonate a legitimate device on the network.
- **MAC flooding**: Sending large numbers of frames with different MAC addresses to overflow a switch's MAC table, causing it to broadcast all traffic.
- **DoS attack**: Flooding a network or device with traffic to exhaust resources and deny service to legitimate users.
- **Lateral movement**: After compromising one device, an adversary uses that access to attack other devices on the same LAN.

**Checkpoint:** Can you explain step by step how an ARP poisoning attack works, and identify which part of the CIA triad each major network attack threatens?

Attack | Mechanism | CIA Impact
--- | --- | ---
ARP poisoning | Falsified ARP packets redirect traffic to adversary | Confidentiality, Integrity
MAC flooding | Overflow switch MAC table to force broadcast | Confidentiality
DoS | Flood network to exhaust resources | Availability
DNS poisoning | Corrupt DNS records to redirect users | Integrity, Confidentiality
MAC spoofing | Fake MAC address to impersonate a device | Confidentiality, Integrity

### Topic 3.2: Managerial Controls and Wireless Security

Managerial controls are written policies that set minimum configuration standards for network devices. A router security policy bans local user accounts, disables unnecessary services like Telnet, and requires a firewall. A switch security policy requires port security and MAC filtering. A VPN policy defines which roles can use a VPN and what authentication is required. For wireless, organizations disable beacon frame broadcasting to hide the network's SSID, control signal strength so the signal does not extend beyond the physical space, require WPA3 encryption (WEP, WPS, and original WPA are insecure), and enforce MAC filtering and user authentication on wireless access points.

- **Router security policy**: Minimum configuration standard requiring approved authentication servers, disabling Telnet, and mandating a firewall.
- **Switch security policy**: Requires port security and MAC filtering to prevent unauthorized device access.
- **VPN policy**: Defines roles, authentication requirements, and minimum security settings for remote access to the internal network.
- **WPA3**: Currently the strongest wireless encryption protocol; WEP, WPS, and original WPA have known vulnerabilities and should not be used.
- **Beacon frame broadcasting**: WAPs broadcast beacon frames to announce the network; disabling this makes the network harder for adversaries to discover.

**Checkpoint:** What specific settings would you configure on a wireless access point to reduce the risk of an adversary outside the building connecting to the network?

Wireless Protocol | Security Status
--- | ---
WEP | Insecure - known vulnerabilities
WPS | Insecure - known vulnerabilities
WPA (original) | Insecure - known vulnerabilities
WPA2 | Acceptable but aging
WPA3 | Currently strongest - recommended

### Topic 3.3: Network Segmentation

Network segmentation divides one large network into smaller, isolated zones so that a breach in one segment cannot spread freely to others. A screened subnet (DMZ) sits between the public internet and the internal private network, holding publicly facing resources like web servers while keeping them separated from internal systems. Subnetting uses IP addressing to create distinct subnets, containing breaches to a smaller number of devices. VLANs use switches to logically separate devices that are physically connected to the same hardware. Port security on switches limits the number of MAC addresses per port, preventing MAC flooding. Different segments can have different security policies applied independently.

- **Screened subnet (DMZ)**: A network zone between the public internet and the internal network that holds publicly facing resources at a lower security level than internal systems.
- **Subnetting**: Dividing a network using IP addressing to create isolated subnets that contain breaches and limit lateral movement.
- **VLAN**: A logical network segment created on a switch that separates devices without requiring separate physical hardware.
- **Port security**: A switch setting that limits the number of MAC addresses allowed on a single port, preventing MAC flooding.
- **Network segmentation**: The practice of dividing a network into smaller isolated segments to limit the spread of attacks and apply differentiated security policies.

**Checkpoint:** Draw a simple network diagram showing where a screened subnet sits relative to the internet and the internal network, and explain what types of servers belong in each zone.

Segmentation Method | How It Works | Primary Benefit
--- | --- | ---
Screened subnet (DMZ) | Firewall zones separate public-facing and internal segments | Isolates public resources from internal network
Subnetting | IP addressing creates distinct address ranges | Contains breaches to fewer devices
VLAN | Switch-level logical separation | Segments devices on shared physical hardware

### Topic 3.4: Firewalls and Access Control Lists

A firewall permits or denies network traffic using a set of rules called an access control list (ACL). Stateless firewalls filter based on packet header information only: IP address, port, and protocol. Stateful firewalls also track the state of active connections, allowing more precise control. Next-generation firewalls (NGFWs) add deep packet inspection, intrusion prevention, and application-layer filtering. ACL rules are checked in order and the first matching rule is applied, so rule order matters. Each network segment and each ingress or egress point between the internal network and the internet should have a firewall. A typical ACL rule specifies direction (inbound or outbound), filter criteria (IP, port, protocol, or application), and action (permit or deny). For example: Allow inbound TCP port 22 from ALL permits SSH traffic; Deny inbound TCP port 80 from 192.168.1.0/24 blocks HTTP from that subnet.

- **Stateless firewall**: Filters traffic using packet header fields only: source and destination IP, port, and protocol.
- **Stateful firewall**: Tracks connection state in addition to header filtering, enabling connection-aware rules.
- **Next-generation firewall (NGFW)**: Combines stateless and stateful filtering with deep packet inspection, intrusion prevention, and application-layer awareness.
- **Access control list (ACL)**: An ordered list of rules a firewall uses to permit or deny traffic; the first matching rule is executed.
- **Rule order**: ACL rules are evaluated top to bottom; changing the order changes which traffic is allowed or denied, so precedence must be planned carefully.

**Checkpoint:** Given a set of ACL rules, can you trace a specific packet through the list and determine whether it is permitted or denied, and explain why rule order matters?

Firewall Type | Filtering Basis | Additional Capabilities
--- | --- | ---
Stateless | Packet headers (IP, port, protocol) | None beyond header fields
Stateful | Headers plus connection state | Connection-aware rules
NGFW | Headers, state, and payload | Deep packet inspection, intrusion prevention, app filtering

### Topic 3.5: Detecting Network Attacks

Detection tools analyze log data from switches, routers, firewalls, and user devices to find indicators of compromise (IoCs). A NIDS monitors network traffic and generates alerts when it detects malicious activity. A NIPS does the same but can also respond automatically by closing ports, blocking IP or MAC addresses, or rejecting protocols. A SIEM aggregates and correlates data from multiple sources across the network. AI-based detection algorithms classify traffic patterns as malicious or normal using probabilistic scoring; organizations set their own alert thresholds, balancing missed attacks against alert fatigue. Signature-based detection compares traffic to a database of known IoCs and is fast with low false positives but misses novel attacks. Anomaly-based detection compares traffic to a baseline and catches new attacks but produces more false positives and requires more expensive hardware. Hybrid detection combines both methods at the highest cost. Specific attacks have specific log signatures: ARP poisoning shows duplicate MAC address ARP packets; MAC flooding shows a surge of Ethernet frames with different MACs; evil-twin attacks appear as suspicious SSIDs near legitimate ones.

- **NIDS**: Network intrusion detection system: monitors traffic and generates alerts on detected malicious activity but does not block it.
- **NIPS**: Network intrusion prevention system: detects malicious activity and can automatically block it by closing ports or rejecting protocols.
- **SIEM**: Security information and event management: aggregates and correlates log data from multiple network sources for centralized analysis.
- **Signature-based detection**: Compares traffic to a database of known IoC signatures; fast and low false positives but cannot detect novel attacks.
- **Anomaly-based detection**: Compares traffic to a recorded baseline; detects new attacks but produces more false positives and requires more processing power.

**Checkpoint:** For a network with high, consistent traffic volume and a tight budget, which detection method would you recommend and why? What trade-offs does that choice involve?

Detection Method | Best For | False Positives | Cost
--- | --- | --- | ---
Signature-based | High traffic volume, known attacks | Very low | Lower
Anomaly-based | Consistent traffic patterns, novel attacks | Higher | Higher
Hybrid | Comprehensive coverage | Moderate to high | Highest

## Study Guides

- [3.4 Protecting Networks: Firewalls](/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa)
- [3.3 Protecting Networks: Segmentation](/ap-cybersecurity/unit-3/protecting-networks-segmentation/study-guide/aN5LZLgHojJwIT4AvjWS)
- [3.2 Protecting Networks: Managerial Controls and Wireless Security](/ap-cybersecurity/unit-3/protecting-networks-managerial-controls-and-wireless-security/study-guide/aihx7DE7KUuSOsZ3dgwk)
- [3.1 Network Vulnerabilities and Attacks](/ap-cybersecurity/unit-3/network-vulnerabilities-and-attacks/study-guide/9lJpNM0eCHQ1M3XgFL97)
- [3.5 Detecting Network Attacks](/ap-cybersecurity/unit-3/detecting-network-attacks/study-guide/5kYH3dgJpqFp57SUnjEX)

## Practice Preview

### Multiple-choice practice

- **AP-style practice question**: Skill Category 3 - Detect Attacks | A firewall's access control list (ACL) contains the following rules in order: Rule 1 — ALLOW inbound TCP port 80 from ALL; Rule 2 — ALLOW inbound TCP port 443 from ALL; Rule 3 — DENY inbound TCP ALL from ALL. A packet arrives that is inbound TCP traffic destined for port 25 from an external IP address. What action does the firewall take?
- **AP-style practice question**: Skill Category 3 - Detect Attacks | A security analyst reviewing logs notices that ransomware has encrypted all files on devices in the HR subnet but finds no evidence of infection on devices in the finance or engineering subnets. Which characteristic of the network architecture most directly explains why the ransomware was contained to the HR subnet?
- **AP-style practice question**: Skill Category 3 - Detect Attacks | An analyst investigating a breach finds that an attacker who gained access to one department's subnet spent hours attempting to reach servers in other subnets but failed, even though all departments share the same physical network infrastructure. The network uses IP-based subnetting with firewall rules between each subnet. What does this evidence reveal about how subnetting increased security in this scenario?
- **AP-style practice question**: Skill Category 3 - Detect Attacks | A hospital network administrator segments the network so medical devices, patient record servers, and guest Wi-Fi each use separate subnets with different firewall rules. A security analyst later finds malware on a guest Wi-Fi device but confirms the patient record servers are unaffected. What security benefit of network segmentation does this outcome show?
- **AP-style practice question**: Skill Category 3 - Detect Attacks | A network analyst examining switch logs observes that a single switch port received thousands of frames containing unique, previously unseen MAC addresses within a few seconds, causing the switch to begin forwarding all traffic out of every port. Which attack does this evidence indicate, and which network security control would have prevented it?
- **AP-style practice question**: Skill Category 1 - Analyze Risk | A hospital network administrator must choose a firewall for the segment storing patient health records. An attacker has been observed sending packets that mimic return traffic from connections the hospital's servers never initiated. Which firewall type would most effectively reduce this specific risk, and why?

## Key Terms

- **firewall**: Software or hardware that permits or denies network traffic based on an ordered set of ACL rules; can be standalone or integrated into a router.
- **DMZ**: A screened subnet between the public internet and the internal private network that holds publicly facing resources at a lower security level.
- **screened subnet**: A network segment created by firewall zones that separates public-facing servers from the internal network; also called a DMZ.
- **network segmentation**: Dividing a network into smaller isolated zones so a breach in one segment cannot spread freely to others.
- **VLAN**: A logical network segment created on a switch that separates devices without requiring separate physical hardware.
- **subnetting**: Using IP addressing to divide a network into distinct subnets, limiting how far a breach can spread.
- **MAC flooding**: Sending large numbers of Ethernet frames with different MAC addresses to overflow a switch's MAC table, forcing it to broadcast all traffic.
- **MAC spoofing**: Faking a MAC address to impersonate a legitimate device on a network, often used in ARP poisoning or to bypass MAC filtering.
- **DoS attack**: A denial-of-service attack that floods a network or device with traffic to exhaust resources and block legitimate users.
- **signature-based detection**: Compares network traffic to a database of known IoC signatures; fast with very low false positives but cannot detect novel attacks.
- **anomaly-based detection**: Compares traffic to a recorded baseline of normal activity; detects new attacks but produces more false positives and requires more processing resources.
- **indicator of compromise**: Evidence in network traffic or log data that suggests malicious activity has occurred or is in progress.
- **port security**: A switch setting that limits the number of MAC addresses allowed on a single port, preventing MAC flooding.
- **virtual private network**: An encrypted tunnel that allows remote users to access an organization's internal network securely over the public internet.
- **false positive**: A detection alert triggered by legitimate traffic that is incorrectly classified as malicious; high rates cause alert fatigue.

## Common Mistakes

- **Confusing NIDS and NIPS roles**: A NIDS only detects and alerts; it does not block traffic. A NIPS can both detect and respond by closing ports or blocking addresses. Students often say NIDS blocks attacks, which is incorrect.
- **Assuming ACL rule order does not matter**: Firewalls apply the first matching ACL rule and stop checking. If a broad permit rule appears before a specific deny rule, the deny rule never executes. Rule order is a core configuration skill in Topic 3.4.
- **Mixing up signature-based and anomaly-based detection trade-offs**: Signature-based detection is faster and has almost no false positives but cannot catch novel attacks. Anomaly-based detection catches new attacks but produces more false positives and costs more. Students frequently reverse these properties.
- **Treating a DMZ as the internal network**: A screened subnet (DMZ) is a lower-security zone that holds publicly facing resources. It is not part of the internal private network. Placing sensitive internal systems in the DMZ removes the protection segmentation is designed to provide.
- **Thinking MAC filtering alone secures a wireless network**: MAC filtering can be bypassed through MAC spoofing. It is one layer of wireless defense, not a complete solution. Strong encryption like WPA3 and user authentication are also required.

## Exam Connections

- **Scenario-based attack identification**: Expect questions that describe network behavior (for example, a default gateway receiving unexpected ARP packets, or a switch broadcasting all traffic) and ask you to identify the attack type, explain the mechanism, and name the CIA triad component at risk. Being able to trace an attack step by step is more useful than memorizing a definition.
- **Firewall rule analysis and configuration**: Questions may present a set of ACL rules and ask you to determine whether a specific packet is permitted or denied, or to identify a misconfiguration caused by rule order. You may also be asked to write a rule that meets a stated requirement, such as allowing SSH from all sources or blocking HTTP from a specific subnet.
- **Comparing and selecting security controls**: Questions may describe an organization's network conditions (traffic volume, budget, sensitivity of data, likelihood of novel attacks) and ask you to select and justify a detection method or segmentation approach. Knowing the trade-offs between signature-based and anomaly-based detection, or between a DMZ and a VLAN, lets you reason through these comparisons rather than guess.

## Final Review Checklist

- **Explain each major network attack**: Be able to describe the mechanism of ARP poisoning, MAC flooding, MAC spoofing, DNS poisoning, and DoS attacks, including which CIA triad component each threatens.
- **Identify managerial controls for routers, switches, and VPNs**: Know what a router security policy, switch security policy, and VPN policy each require, and explain why disabling Telnet or requiring port security reduces risk.
- **Configure wireless access point security**: Know why WPA3 is required, why beacon frame broadcasting should be disabled, and how signal strength control and MAC filtering reduce wireless attack surface.
- **Explain segmentation techniques and their benefits**: Distinguish between screened subnets, subnetting, and VLANs. Explain how each limits lateral movement and allows differentiated security policies across zones.
- **Read and write firewall ACL rules**: Given a set of ACL rules, trace a packet and determine the outcome. Know the difference between stateless, stateful, and next-generation firewalls and when each applies.
- **Compare detection methods**: Explain the trade-offs between signature-based, anomaly-based, and hybrid detection in terms of speed, cost, false positive rate, and ability to detect novel attacks.
- **Identify attack indicators in log data**: Know what log evidence indicates ARP poisoning (duplicate MAC ARP packets), MAC flooding (surge of Ethernet frames with different MACs), and evil-twin attacks (suspicious SSIDs).

## Study Plan

- **Start with network attacks (Topic 3.1)**: Read the Topic 3.1 guide and map each attack (ARP poisoning, MAC flooding, DNS poisoning, DoS) to its mechanism and CIA triad impact. Use the key terms for ARP, MAC address, and DoS attack to lock in the vocabulary before moving to defenses.
- **Review managerial controls and wireless settings (Topic 3.2)**: Go through the Topic 3.2 guide and list the specific requirements in each policy type (router, switch, VPN). Then focus on wireless: write out why each WAP setting (beacon frames, signal strength, WPA3, MAC filtering) addresses a specific attack from Topic 3.1.
- **Work through segmentation concepts (Topic 3.3)**: Use the Topic 3.3 guide to sketch a network diagram with a screened subnet, an internal subnet, and a VLAN. Label where each segmentation method applies and what attack it limits. Practice explaining why port security prevents MAC flooding.
- **Practice firewall ACL rules (Topic 3.4)**: Read the Topic 3.4 guide, then write five ACL rules using the format from the essential knowledge examples (direction, filter criteria, action). Swap the order of two rules and explain how the outcome changes. Use the practice questions available for this topic to test your rule-reading skill.
- **Compare detection methods and analyze log indicators (Topic 3.5)**: Use the Topic 3.5 guide to build a comparison of signature-based, anomaly-based, and hybrid detection across speed, cost, and false positive rate. Then review the log indicators for ARP poisoning, MAC flooding, and evil-twin attacks so you can identify them from a description of network log data.

## More Ways To Review

- [Topic study guides](/ap-cybersecurity/unit-3#topics)
- [Key terms](/ap-cybersecurity/key-terms)

## FAQs

### What topics are covered in AP Cyber Unit 3?

AP Cyber Unit 3: Securing Networks covers 5 topics: Network Vulnerabilities and Attacks (3.1), Protecting Networks with Managerial Controls and Wireless Security (3.2), Network Segmentation (3.3), Firewalls (3.4), and Detecting Network Attacks (3.5). The unit focuses on how data is protected in transit and how defenders identify and stop network threats. See the full topic breakdown at [/ap-cybersecurity/unit-3](/ap-cybersecurity/unit-3).

### What's on the AP Cyber Unit 3 progress check (MCQ and FRQ)?

The AP Cyber Unit 3 progress check pulls questions from all 5 topics in Securing Networks: network vulnerabilities and attacks, wireless security, segmentation, firewall configuration, and detecting network attacks using log analysis. The MCQ part tests conceptual knowledge, while the FRQ part asks you to apply defensive strategies to realistic scenarios. For matched practice aligned to these topics, visit [/ap-cybersecurity/unit-3](/ap-cybersecurity/unit-3).

### How do I practice AP Cyber Unit 3 FRQs?

AP Cyber Unit 3 FRQs typically ask you to analyze a network scenario and recommend defensive measures, such as where to place a firewall, how to segment a network, or how to interpret log files for indicators of compromise (IoCs). Topics 3.3, 3.4, and 3.5 are the most common sources for these scenario-based questions. To practice, write out your reasoning in full sentences, justify each recommendation with a specific concept like segmentation or packet filtering, and check your logic against the topic objectives at [/ap-cybersecurity/unit-3](/ap-cybersecurity/unit-3).

### Where can I find AP Cyber Unit 3 practice questions?

The best place to find AP Cyber Unit 3 practice questions, including multiple-choice and practice test sets, is [/ap-cybersecurity/unit-3](/ap-cybersecurity/unit-3). You'll find MCQs covering network vulnerabilities, wireless security, firewalls, and log-based detection, organized by topic so you can target exactly where you need more work.

### How should I study AP Cyber Unit 3?

Start AP Cyber Unit 3 by building a clear picture of how network attacks work (3.1) before moving into defenses. Study each protective layer in order: managerial controls and wireless security (3.2), then segmentation (3.3), then firewalls (3.4). Finish with log analysis and indicators of compromise in 3.5, since detecting attacks ties everything together. A few concrete steps that help:
- Draw network diagrams showing where firewalls and segments go.
- Practice reading sample log files and flagging suspicious patterns.
- For each attack type in 3.1, write one sentence describing the matching defense.
- Test yourself with MCQs at [/ap-cybersecurity/unit-3](/ap-cybersecurity/unit-3) after each topic, not just at the end.

## Structured Data

```json
{"@context":"https://schema.org","@type":"FAQPage","inLanguage":"en","mainEntity":[{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-3#what-topics-are-covered-in-ap-cyber-unit-3","name":"What topics are covered in AP Cyber Unit 3?","acceptedAnswer":{"@type":"Answer","text":"AP Cyber Unit 3: Securing Networks covers 5 topics: Network Vulnerabilities and Attacks (3.1), Protecting Networks with Managerial Controls and Wireless Security (3.2), Network Segmentation (3.3), Firewalls (3.4), and Detecting Network Attacks (3.5). The unit focuses on how data is protected in transit and how defenders identify and stop network threats. See the full topic breakdown at <a href=\"/ap-cybersecurity/unit-3\">/ap-cybersecurity/unit-3</a>."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-3#whats-on-the-ap-cyber-unit-3-progress-check-mcq-and-frq","name":"What's on the AP Cyber Unit 3 progress check (MCQ and FRQ)?","acceptedAnswer":{"@type":"Answer","text":"The AP Cyber Unit 3 progress check pulls questions from all 5 topics in Securing Networks: network vulnerabilities and attacks, wireless security, segmentation, firewall configuration, and detecting network attacks using log analysis. The MCQ part tests conceptual knowledge, while the FRQ part asks you to apply defensive strategies to realistic scenarios. For matched practice aligned to these topics, visit <a href=\"/ap-cybersecurity/unit-3\">/ap-cybersecurity/unit-3</a>."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-3#how-do-i-practice-ap-cyber-unit-3-frqs","name":"How do I practice AP Cyber Unit 3 FRQs?","acceptedAnswer":{"@type":"Answer","text":"AP Cyber Unit 3 FRQs typically ask you to analyze a network scenario and recommend defensive measures, such as where to place a firewall, how to segment a network, or how to interpret log files for indicators of compromise (IoCs). Topics 3.3, 3.4, and 3.5 are the most common sources for these scenario-based questions. To practice, write out your reasoning in full sentences, justify each recommendation with a specific concept like segmentation or packet filtering, and check your logic against the topic objectives at <a href=\"/ap-cybersecurity/unit-3\">/ap-cybersecurity/unit-3</a>."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-3#where-can-i-find-ap-cyber-unit-3-practice-questions","name":"Where can I find AP Cyber Unit 3 practice questions?","acceptedAnswer":{"@type":"Answer","text":"The best place to find AP Cyber Unit 3 practice questions, including multiple-choice and practice test sets, is <a href=\"/ap-cybersecurity/unit-3\">/ap-cybersecurity/unit-3</a>. You'll find MCQs covering network vulnerabilities, wireless security, firewalls, and log-based detection, organized by topic so you can target exactly where you need more work."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-3#how-should-i-study-ap-cyber-unit-3","name":"How should I study AP Cyber Unit 3?","acceptedAnswer":{"@type":"Answer","text":"Start AP Cyber Unit 3 by building a clear picture of how network attacks work (3.1) before moving into defenses. Study each protective layer in order: managerial controls and wireless security (3.2), then segmentation (3.3), then firewalls (3.4). Finish with log analysis and indicators of compromise in 3.5, since detecting attacks ties everything together. A few concrete steps that help:\n- Draw network diagrams showing where firewalls and segments go.\n- Practice reading sample log files and flagging suspicious patterns.\n- For each attack type in 3.1, write one sentence describing the matching defense.\n- Test yourself with MCQs at <a href=\"/ap-cybersecurity/unit-3\">/ap-cybersecurity/unit-3</a> after each topic, not just at the end."}}]}
```
