66 Eleventh Hour Security : Exam SY0-201 Study Guide area network (LAN) where the requesting machine knows the target's IP address but needs to associate that IP address with a MAC address. A MAC address is a unique identifier or address that is assigned to most network adapters or network interface cards and, technically, each MAC address on a given LAN should be unique. The spoofed ARP message allows the attacker to associ- ate a MAC address of their choosing to a particular IP address, which means any traffic meant for that IP address would be mistakenly sent to the attacker instead. This opens the door for numerous attack mechanisms to be employed including: IP spoofing attacks MITM attacks DoS attacks NETWORK DESIGN ELEMENTS AND COMPONENTS Understanding the components and elements used in network design and how they work together is a good first step to building an effective design. This sec- tion discusses following components of network design: Demilitarized zone (DMZ) Subnets VLANs Network Access Translation Network Access Control/Network Access Protection IP Telephony While differing components can be effectively used together, in some instances they need to be used completely separately from each other. The different pieces that make up a network can be considered as discrete network segments holding systems that share common requirements. These are sometimes called security zones, and some of these common requirements can be: The types of information the zone handles Who uses the zone What levels of security the zone requires in order to protect its data Firewalls A firewall is the most common device used to protect an internal network from outside intruders. When properly configured, a firewall blocks access to an internal network from the outside, and blocks users of the internal network from accessing potentially dangerous external networks or ports. There are three firewall technologies examined in the Security exam. Packet filtering works at the network layer of the Open Systems Interconnect (OSI) model and is designed to operate rapidly by either allowing or deny- ing packets.