Firewall: The primary inspection appliance. Positioned at the perimeter to guard against external threats and control data egress. It must be in-band to enforce rules.
Router: Managing Layer 3 routing between internal subnets and the inspection gateway. It defines the path between the switch and the firewall.
Switch: Providing high-speed Layer 2 connectivity. Essential for desktop isolation via separate collision domains to prevent traffic sniffing.
WAP & Extender: The WAP provides the HQ signal, while the Extender mirrors parameters to bridge the 50ft gap without physical cabling.
2. Hardware Distractor Analysis
Hubs: Avoided because they are "dumb" Layer 1 devices. They replicate all traffic to all ports, which violates the requirement that desktops cannot see other traffic.
IDS (Intrusion Detection System): While useful for security, an IDS is a passive detection tool. The briefing required traffic inspection and control at the ingress, which is the primary role of an active Firewall.
Proxy Server: A distractor that filters traffic at the Application Layer (Layer 7). While it provides inspection, it is not the primary tool for general network-wide traffic inspection and routing control compared to a Firewall/Router combo.
3. ACL Logic Breakdown
Outbound Traffic (Rule #1): Initially set to "DENY." In professional networks, explicit ALLOW rules must be created for internal users (192.168.1.0/24) to reach the 0.0.0.0/0 (Internet) while maintaining a deny-all-else security posture.
ACL Distractors (SSH/HTTP/ICMP): Rules 2 through 9 exist to test the administrator's ability to ignore noise. While ICMP (Ping) or Telnet rules are common, only Rule #1 physically prevented the Internet Access mission requirement.
4. Wireless Configuration Analysis
Protocol (802.11ac): Selected for "Gigabit Fiber" support. 802.11ac is a 5GHz standard designed for very high throughput (VHT). Protocols like 'b', 'g', or 'n' (2.4GHz) lack the bandwidth capacity required.
WPA3 Business: The latest standard providing 192-bit cryptographic strength. It requires centralized authentication via RADIUS (Port 1812) rather than a shared static key used in Personal modes.
Radio Distractors (2.4GHz): Channels 1, 6, and 11 were distractions. Using these would cap the client at lower speeds, failing the Gigabit performance requirement.
SSID Visibility (Hidden): Disabling SSID broadcast (Hidden) adds a layer of operational security, forcing users to know the SSID "BB Tech Tools" manually.
