Network security isn't just about plugging in fancy hardware. A lot of it comes down to written rules that tell IT teams exactly how to set up and run their equipment. These rules are called managerial controls, and they cover everything from how routers get configured to who's allowed to use the VPN. This topic walks through the main policies organizations use and then digs into the technical settings that lock down wireless networks specifically.

Managerial Controls for Network Security

A managerial control is a written policy that defines the minimum security standards for how a network and its devices should be configured. Think of it as the rulebook. The actual settings on the equipment are the technical controls, but the policy is what tells admins which technical controls they must turn on. Without these policies, every IT person would configure things their own way, and inconsistency is where attackers slip in.

The CED focuses on four main policies you need to know: router, switch, VPN, and wireless.

more resources to help you study

practice questions

Router Security Policy

A router security policy sets the minimum configuration standard for every router on the organization's network. Routers move traffic between networks (like between your office and the internet), so if one is misconfigured, an attacker could reroute or intercept tons of data.

A typical router security policy includes:

Banning local user accounts. Instead of having usernames and passwords stored on each router, all logins must go through an approved authentication server (like a RADIUS or TACACS+ server). This way, when an employee leaves, you disable their account in one place, not on 50 different routers.
Disabling unnecessary services. Old protocols like Telnet send data in plain text, including passwords. They should be turned off. Use SSH instead.
Requiring a firewall. The router itself can run firewall features, or the organization can deploy a separate dedicated firewall device. Either way, the policy spells out that one must exist.

Switch Security Policy

A switch security policy does the same thing as the router policy, but for switches. Switches move traffic within a network (connecting all the computers in one office, for example).

Standard items in a switch policy:

Banning local user accounts. Same idea as routers. All admin logins must use the central authentication server.
Requiring port security. Port security is a feature that limits which devices can connect to a physical port on the switch. If someone unplugs an office PC and plugs in their own laptop, port security can shut that port down automatically.
Using MAC filtering. Every network device has a unique MAC address, a hardware identifier burned into its network card. MAC filtering means the switch only allows traffic from a pre-approved list of MAC addresses.

VPN Policy

A virtual private network (VPN) creates an encrypted tunnel between a remote employee's device and the organization's internal network. Working from a coffee shop? The VPN makes it look like you're sitting in the office, and it scrambles your traffic so no one on the public Wi-Fi can read it.

A VPN policy covers:

Who's allowed to use it. The policy lists which roles can connect. Maybe full-time employees and contractors get access, but interns don't. Not everyone needs remote access to sensitive systems.
Authentication requirements. This usually means strong methods like a public/private key system or multi-factor authentication (MFA). A password alone isn't enough.
A prohibition on split tunneling. Split tunneling (also called dual tunneling) means some of your traffic goes through the VPN and some goes straight to the regular internet. That sounds convenient, but it's a problem. If your laptop is connected to both the company network and the open internet at the same time, an attacker who compromises your machine could use it as a bridge into the company. Good policies ban this and force all traffic through the VPN.

Wireless Security Policy

A wireless security policy sets minimum security requirements for any Wi-Fi network the organization runs. Wireless is trickier than wired networks because the signal travels through the air, and anyone within range can try to grab it.

Common policy items:

EAP authentication. Users must log in to the wireless network through an extensible authentication protocol (EAP) connected to an approved authentication server. EAP is a framework that lets the Wi-Fi network verify users against the same central server that handles other logins, instead of using a shared Wi-Fi password that everyone knows.
AES encryption with a minimum key length. All wireless traffic must be encrypted with AES (Advanced Encryption Standard), and the policy will specify a minimum key size (like 128-bit or 256-bit) so weak encryption isn't allowed.
Disabling beacon frames. More on this in the next section, but the policy will require it.

Configuring Wireless Network Security

The wireless policy tells you what to do. Now here's the how. These are the actual settings you'd configure on a wireless access point (WAP), the device that broadcasts your Wi-Fi signal.

Disabling Beacon Frames

A beacon frame is a small signal a WAP broadcasts on a regular schedule that announces the network's name (SSID) and capabilities. It's why your phone shows a list of nearby Wi-Fi networks. Beacons are convenient, but they basically yell "HEY I'M A NETWORK CALLED CORP-WIFI, COME FIND ME" to anyone listening.

Disabling beacon frame broadcasting hides the network from casual scans. Adversaries can still find the network with more advanced tools, but it raises the bar. They can't just open the Wi-Fi menu and see it sitting there.

Controlling Broadcast Direction and Signal Strength

If your office is on the third floor of a building, your Wi-Fi signal shouldn't be reaching the parking lot. That's just giving attackers a comfortable place to sit and try to break in.

You can:

Lower the transmit power on the WAP so the signal doesn't travel as far.
Use directional antennas that aim the signal in a specific direction instead of broadcasting in all directions (which is what most default antennas do).
Physically place the WAP toward the center of the building rather than next to an outside wall.

The goal: the signal covers the space it needs to cover, and not much more.

Using Strong Encryption Protocols

Wireless encryption protocols have evolved over the years, and a lot of the older ones are now broken. Here's the lineup:

WEP (Wired Equivalent Privacy): Ancient and insecure. Can be cracked in minutes with free tools. Never use.
WPS (Wi-Fi Protected Setup): A feature meant to make connecting devices easier with a PIN. The PIN system has known vulnerabilities. Disable it.
WPA (original): Was a fix for WEP but has since been broken. Insecure.
WPA2: Much better, but has some known weaknesses (like the KRACK attack).
WPA3: The current strongest wireless encryption protocol. This is what organizations should use whenever possible.

When you configure a WAP, you pick the encryption protocol from a dropdown. The right answer for a modern network is WPA3, paired with AES encryption underneath.

MAC Filtering and User Authentication

MAC filtering on a wireless network works the same way as on a switch. You create a list of approved MAC addresses, and the WAP rejects any device whose MAC address isn't on the list. It's not bulletproof (attackers can spoof MAC addresses), but it's another layer.

User authentication takes it further. Instead of (or in addition to) checking the device, you make the actual user log in. Hooking the WAP up to an EAP-based authentication server means every person joining the network needs valid credentials, just like logging into their email. If someone leaves the company, you disable their account once and they lose Wi-Fi access everywhere.

Putting Wireless Security Together

A well-configured corporate WAP would typically have:

Beacon frame broadcasting disabled
Signal strength tuned to cover only the intended area
WPA3 encryption enabled (with AES)
WEP, WPS, and old WPA disabled
MAC filtering enabled
EAP authentication tied to the company's central authentication server

Any one of these alone isn't enough. Layered together, they make a wireless network much harder to attack. That's the whole idea behind defense in depth: assume any single control might fail, and stack enough of them that an attacker has to defeat several to get in.

Vocabulary

The following words are mentioned explicitly in the College Board Course and Exam Description for this topic.

Term	Definition
AES encryption	Advanced Encryption Standard, a symmetric encryption algorithm used to protect wireless traffic and data.
authentication	The process of verifying the identity of a user or system, typically through credentials such as passwords.
authentication server	A centralized system that verifies user credentials and manages access to network resources.
beacon frame	A wireless transmission sent by an access point that broadcasts the network's presence and basic properties, which can be disabled to hide the network from discovery.
extensible authentication protocol	An authentication framework that allows wireless networks to connect to an approved authentication server to verify user credentials.
firewall	A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
local user accounts	User accounts created and stored directly on a network device rather than managed by a centralized authentication system.
MAC filtering	A network security technique that controls network access by allowing or blocking devices based on their Media Access Control (MAC) addresses.
managerial controls	Security measures that provide rules, guidelines, policies, and procedures to specify what security should be in place, including password policies and incident response plans.
multi-factor authentication	A security method that requires users to provide multiple forms of verification to authenticate and access a system.
port security	A network security feature that controls which devices can connect to specific switch ports by limiting the number of MAC addresses allowed on a port.
router security policy	A set of minimum configuration standards that define how routers on an organization's network must be secured and operated.
signal strength	The power level of a wireless signal transmitted by an access point, which can be controlled to limit network coverage to intended areas.
split tunneling	A VPN configuration where a user's device simultaneously routes some traffic through the VPN and other traffic directly to the internet, creating a security risk.
switch security policy	A set of minimum configuration standards that define how switches on an organization's network must be secured and operated.
virtual private network policy	An organizational policy that establishes minimum security requirements for employees accessing the organization's internal network through a VPN.
Wi-Fi Protected Access	Wi-Fi Protected Access; an original wireless encryption protocol that has known vulnerabilities and has been superseded by stronger standards.
Wi-Fi Protected Setup	Wi-Fi Protected Setup; a wireless encryption protocol with known vulnerabilities that is no longer considered secure.
Wired Equivalent Privacy	Wired Equivalent Privacy; an early wireless encryption protocol that has known vulnerabilities and is considered insecure.
wireless access point	A networking device that allows wireless devices to connect to a wired network and transmit data wirelessly.
wireless encryption protocols	Security standards used to encrypt wireless data transmissions to prevent unauthorized access and interception.
wireless network security	The configuration and implementation of security measures to protect wireless networks from unauthorized access and data interception.
wireless security policy	An organizational policy that establishes minimum security requirements for wireless networks within an organization.
WPA3	The current strongest wireless encryption algorithm that provides enhanced security for wireless network communications.