Fiveable

🔒AP Cybersecurity Unit 3 Review

QR code for AP Cybersecurity practice questions

3.2 Protecting Networks: Managerial Controls and Wireless Security

3.2 Protecting Networks: Managerial Controls and Wireless Security

Written by the Fiveable Content Team • Last updated June 2026
Verified for the 2027 exam
Verified for the 2027 examWritten by the Fiveable Content Team • Last updated June 2026
🔒AP Cybersecurity
Unit & Topic Study Guides
Pep mascot

TLDR

Network security relies on two things working together: written rules called managerial controls and the actual settings you turn on. Managerial controls are policies that set minimum configuration standards for routers, switches, VPNs, and wireless networks. For wireless specifically, you secure access points by disabling beacon frames, controlling signal strength, enabling strong encryption like WPA3, and requiring users and devices to authenticate.

Pep mascot
more resources to help you study

Why This Matters for the AP Cybersecurity Exam

This topic in AP Cybersecurity connects the "why" of security policy with the "how" of configuration. You need to identify what each managerial control covers (router, switch, VPN, and wireless policies) and recognize when a specific policy item applies to a scenario. You also need to configure wireless security features and explain why each one reduces risk.

Expect scenario-style questions where you match a security goal to the right control or spot a misconfiguration. Being able to explain why split tunneling is risky or why WEP is unacceptable shows the adversarial thinking and defense-in-depth reasoning this course is built around.

Key Takeaways

  • Managerial controls are written policies that set minimum security standards; technical controls are the actual settings those policies require.
  • The four network policies to know are router, switch, VPN, and wireless security policies.
  • Common policy items include banning local user accounts, disabling unnecessary services like Telnet, requiring firewalls, enabling port security, and using MAC filtering.
  • VPN policies define who can connect, require strong authentication, and usually prohibit split tunneling.
  • Wireless security uses disabled beacon frames, tuned signal strength, strong encryption (WPA3 with AES), and authentication through EAP and MAC filtering.
  • Defense in depth means stacking controls so no single failure exposes the network.

Managerial Controls for Network Security

A managerial control is a written policy that defines the minimum security standards for how a network and its devices should be configured. Think of it as the rulebook. The actual settings on the equipment are the technical controls, but the policy is what tells admins which technical controls they must turn on. Without these policies, every IT person would configure things their own way, and inconsistency is where attackers slip in.

There are four main policies to know: router, switch, VPN, and wireless.

Router Security Policy

A router security policy sets the minimum configuration standard for every router on the organization's network. Routers move traffic between networks (like between your office and the internet), so if one is misconfigured, an attacker could reroute or intercept large amounts of data.

A typical router security policy includes:

  • Banning local user accounts. Instead of storing usernames and passwords on each router, all logins must go through an approved authentication server. This way, when an employee leaves, you disable their account in one place, not on dozens of separate routers.
  • Disabling unnecessary services. Old protocols like Telnet send data in plain text, including passwords, so they should be turned off.
  • Requiring a firewall. The router itself can run firewall features, or the organization can deploy a separate dedicated firewall device. Either way, the policy spells out that one must exist.

Switch Security Policy

A switch security policy does the same thing as the router policy, but for switches. Switches move traffic within a network, connecting all the computers in one office, for example.

Standard items in a switch policy:

  • Banning local user accounts. Same idea as routers. All admin logins must use the central authentication server.
  • Requiring port security. Port security limits which devices can connect to a physical port on the switch. If someone unplugs an office PC and plugs in their own laptop, port security can shut that port down automatically.
  • Using MAC filtering. Every network device has a unique MAC address, a hardware identifier on its network card. MAC filtering means the switch only allows traffic from a pre-approved list of MAC addresses.

VPN Policy

A virtual private network (VPN) creates an encrypted tunnel between a remote employee's device and the organization's internal network. Working from a coffee shop, the VPN makes it look like you are sitting in the office and scrambles your traffic so no one on the public Wi-Fi can read it.

A VPN policy covers:

  • Who is allowed to use it. The policy lists which roles can connect. Not everyone needs remote access to sensitive systems.
  • Authentication requirements. This usually means strong methods like a public/private key system or multi-factor authentication (MFA). A password alone is not enough.
  • A prohibition on split tunneling. Split tunneling (also called dual tunneling) means some of your traffic goes through the VPN and some goes straight to the regular internet. If your laptop is connected to both the company network and the open internet at the same time, an attacker who compromises your machine could use it as a bridge into the company. Good policies ban this and force all traffic through the VPN.

Wireless Security Policy

A wireless security policy sets minimum security requirements for any Wi-Fi network the organization runs. Wireless is trickier than wired networks because the signal travels through the air, and anyone within range can try to grab it.

Common policy items:

  • EAP authentication. Users must log in to the wireless network through an extensible authentication protocol (EAP) connected to an approved authentication server. EAP is a framework that lets the Wi-Fi network verify users against the same central server that handles other logins, instead of using a shared Wi-Fi password that everyone knows.
  • AES encryption with a minimum key length. All wireless traffic must be encrypted with AES (Advanced Encryption Standard), and the policy will specify a minimum key size so weak encryption is not allowed.
  • Disabling beacon frames. The policy requires it, and the next section covers how.

Configuring Wireless Network Security

The wireless policy tells you what to do. Here is the how. These are the actual settings you would configure on a wireless access point (WAP), the device that broadcasts your Wi-Fi signal.

Disabling Beacon Frames

A beacon frame is a small signal a WAP broadcasts on a regular schedule that announces the network's name (SSID) and capabilities. It is why your phone shows a list of nearby Wi-Fi networks. Beacons are convenient, but they basically announce the network to anyone listening.

Disabling beacon frame broadcasting hides the network from casual scans. Adversaries can still find the network with more advanced tools, but it raises the bar. They cannot just open the Wi-Fi menu and see it sitting there.

Controlling Broadcast Direction and Signal Strength

If your office is on the third floor of a building, your Wi-Fi signal should not be reaching the parking lot. That just gives attackers a comfortable place to sit and try to break in.

You can:

  • Lower the transmit power on the WAP so the signal does not travel as far.
  • Use directional antennas that aim the signal in a specific direction instead of broadcasting in all directions.
  • Physically place the WAP toward the center of the building rather than next to an outside wall.

The goal is for the signal to cover the space it needs to cover, and not much more.

Using Strong Encryption Protocols

Wireless encryption protocols have changed over the years, and several older ones are now broken. Here is the lineup:

  • WEP (Wired Equivalent Privacy): Old and insecure. Never use it.
  • WPS (Wi-Fi Protected Setup): A feature meant to make connecting devices easier with a PIN. The PIN system has known vulnerabilities. Disable it.
  • WPA (original): Was a fix for WEP but has since been broken. Insecure.
  • WPA3: The current strongest wireless encryption protocol. This is what organizations should use whenever possible.

When you configure a WAP, you pick the encryption protocol from a setting. The right choice for a modern network is WPA3, paired with AES encryption underneath.

MAC Filtering and User Authentication

MAC filtering on a wireless network works the same way as on a switch. You create a list of approved MAC addresses, and the WAP rejects any device whose MAC address is not on the list. It is not bulletproof because attackers can spoof MAC addresses, but it is another layer.

User authentication takes it further. Instead of (or in addition to) checking the device, you make the actual user log in. Hooking the WAP up to an EAP-based authentication server means every person joining the network needs valid credentials. If someone leaves the company, you disable their account once and they lose Wi-Fi access everywhere.

Putting Wireless Security Together

A well-configured corporate WAP would typically have:

  • Beacon frame broadcasting disabled
  • Signal strength tuned to cover only the intended area
  • WPA3 encryption enabled (with AES)
  • WEP, WPS, and old WPA disabled
  • MAC filtering enabled
  • EAP authentication tied to the company's central authentication server

Any one of these alone is not enough. Layered together, they make a wireless network much harder to attack. That is the idea behind defense in depth: assume any single control might fail, and stack enough of them that an attacker has to defeat several to get in.

How to Use This on the AP Cybersecurity Exam

MCQ

Watch for scenarios that describe a problem and ask which control fixes it. If a question mentions logins stored on individual devices, the fix is banning local user accounts and using a central authentication server. If a question describes Wi-Fi reaching outside the building, the answer involves signal strength or directional antennas.

Matching Controls to Goals

Practice connecting each policy to the device it governs. Router policy covers routers, switch policy covers switches, VPN policy covers remote access, and wireless policy covers Wi-Fi. Mixing these up is an easy way to lose points.

Common Trap

Questions may list an outdated protocol like WEP, WPS, or original WPA and present it as a reasonable option. Remember these are insecure. WPA3 is the strongest current choice. Also watch for split tunneling described as a convenient feature; the secure policy choice is to prohibit it.

Explaining Why

When a question asks you to justify a control, tie it to a risk it reduces. Disabling beacon frames makes the network harder to find. Strong encryption keeps intercepted frames unreadable. Authentication keeps unauthorized users out. Connecting the control to the threat shows the reasoning the exam rewards.

Common Misconceptions

  • Managerial controls and technical controls are the same thing. They are not. A managerial control is the written policy that sets the standard; the technical control is the actual setting that meets it.
  • Disabling beacon frames makes a network invisible. It only hides the network from casual scanning. Determined attackers with the right tools can still detect it.
  • MAC filtering fully blocks unauthorized devices. Attackers can spoof an approved MAC address, so MAC filtering is one layer, not a complete defense.
  • Split tunneling is a helpful convenience worth allowing. It creates a bridge between the open internet and the internal network, which is why secure policies prohibit it.
  • WPA2 is fine for everything. WPA3 is the strongest current protocol and the recommended choice; WEP, WPS, and original WPA are insecure and should be disabled.
  • A VPN encrypts all your traffic automatically. Only if split tunneling is disabled. With split tunneling on, some traffic bypasses the encrypted tunnel.

Vocabulary

The following words are mentioned explicitly in the AP® course framework for this topic.

Term

Definition

AES encryption

Advanced Encryption Standard, a symmetric encryption algorithm used to protect wireless traffic and data.

authentication

The process of verifying the identity of a user or system, typically through credentials such as passwords.

authentication server

A centralized system that verifies user credentials and manages access to network resources.

beacon frame

A wireless transmission sent by an access point that broadcasts the network's presence and basic properties, which can be disabled to hide the network from discovery.

extensible authentication protocol

An authentication framework that allows wireless networks to connect to an approved authentication server to verify user credentials.

firewall

A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules.

local user accounts

User accounts created and stored directly on a network device rather than managed by a centralized authentication system.

MAC filtering

A network security technique that controls network access by allowing or blocking devices based on their Media Access Control (MAC) addresses.

managerial controls

Security measures that provide rules, guidelines, policies, and procedures to specify what security should be in place, including password policies and incident response plans.

multi-factor authentication

A security method that requires users to provide multiple forms of verification to authenticate and access a system.

port security

A network security feature that controls which devices can connect to specific switch ports by limiting the number of MAC addresses allowed on a port.

router security policy

A set of minimum configuration standards that define how routers on an organization's network must be secured and operated.

signal strength

The power level of a wireless signal transmitted by an access point, which can be controlled to limit network coverage to intended areas.

split tunneling

A VPN configuration where a user's device simultaneously routes some traffic through the VPN and other traffic directly to the internet, creating a security risk.

switch security policy

A set of minimum configuration standards that define how switches on an organization's network must be secured and operated.

virtual private network policy

An organizational policy that establishes minimum security requirements for employees accessing the organization's internal network through a VPN.

Wi-Fi Protected Access

Wi-Fi Protected Access; an original wireless encryption protocol that has known vulnerabilities and has been superseded by stronger standards.

Wi-Fi Protected Setup

Wi-Fi Protected Setup; a wireless encryption protocol with known vulnerabilities that is no longer considered secure.

Wired Equivalent Privacy

Wired Equivalent Privacy; an early wireless encryption protocol that has known vulnerabilities and is considered insecure.

wireless access point

A networking device that allows wireless devices to connect to a wired network and transmit data wirelessly.

wireless encryption protocols

Security standards used to encrypt wireless data transmissions to prevent unauthorized access and interception.

wireless network security

The configuration and implementation of security measures to protect wireless networks from unauthorized access and data interception.

wireless security policy

An organizational policy that establishes minimum security requirements for wireless networks within an organization.

WPA3

The current strongest wireless encryption algorithm that provides enhanced security for wireless network communications.

Frequently Asked Questions

What is the difference between managerial controls and technical controls in AP Cybersecurity 3.2?

A managerial control is a written policy that sets the minimum security standards for how network devices should be configured. A technical control is the actual setting applied to the device to meet that standard. For example, a router security policy is the managerial control, while disabling Telnet on the router is the technical control.

Why is split tunneling prohibited in a VPN policy?

Split tunneling allows some traffic to go through the VPN while the rest travels directly over the public internet, meaning a compromised device could act as a bridge between the open internet and the organization's internal network. Secure VPN policies prohibit split tunneling so that all traffic is forced through the encrypted VPN tunnel.

What wireless encryption protocol should organizations use according to AP Cybersecurity 3.2?

Organizations should use WPA3, which is currently the strongest wireless encryption protocol. WEP, WPS, and the original WPA all have known vulnerabilities and are considered insecure, so they should be disabled on wireless access points.

What does disabling beacon frames do on a wireless access point?

Disabling beacon frame broadcasting stops the wireless access point from regularly announcing the network's name and properties, making it harder for adversaries to find the network through a casual scan. It does not make the network completely invisible, but it raises the difficulty for attackers who rely on passive discovery.

What are the main items included in a switch security policy for AP Cybersecurity?

A switch security policy typically requires banning local user accounts so all logins go through a central authentication server, enabling port security to restrict which devices can connect to each physical port, and using MAC filtering to allow only pre-approved devices onto the network.

Pep mascot
Upgrade your Fiveable account to print any study guide

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Click below to go to billing portal → update your plan → choose Yearly→ and select "Fiveable Share Plan". Only pay the difference

Plan is open to all students, teachers, parents, etc
Pep mascot
Upgrade your Fiveable account to export vocabulary

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Plan is open to all students, teachers, parents, etc
report an error
description

screenshots help us find and fix the issue faster (optional)

add screenshot