6      Chapter 1 • General Security Concepts: Access Control, Authentication, and Auditing


                Let’s Talk About Access and Authentication
                The difference between access control and authentication is a very
           Head of the Class…  through some means. This could be thought of as a lock on a door or a
                important distinction, which you must understand in order to pass the
                Security+ exam. Access control is used to control the access to a resource

                guard in a building. Authentication on the other hand is the process of
                verifying that the person trying to access whatever resource is being con-
                trolled is authorized to access the resource. In our analogy, this would be
                the equivalent of trying the key or having the guard check your name
                against a list of authorized people. So in summary, access control is the
                lock and authentication is the key.



             Access Control

             Access control can be defined as a policy, software component, or hardware compo-
             nent that is used to grant or deny access to a resource.This can be an advanced
             component such as a Smart Card, a biometric device, or network access hardware
             such as routers, remote access points such as Remote Access Service (RAS), and
             virtual private networks (VPNs), or the use of wireless access points (WAPs). It can
             also be file or shared resource permissions assigned through the use of a network
             operating system (NOS) such as Microsoft Windows using New Technology File
             System (NTFS) in conjunction with Active Directory, Novell NetWare in conjunc-
             tion with Novell Directory Services (NDS) or eDirectory, and UNIX systems
             using Lightweight Directory Access Protocol (LDAP), Kerberos, or Sun
             Microsystem’s Network Information System (NIS) and Network Information
             System Plus (NIS+). Finally, it can be a rule set that defines the operation of a soft-
             ware component limiting entrance to a system or network.We will explore a
             number of alternatives and possibilities for controlling access.

             Authentication

             Authentication can be defined as the process used to verify that a machine or user
             attempting access to the networks or resources is, in fact, the entity being pre-
             sented.We will examine a process that proves user identity to a remote resource
             host.We will also review a method of tracking and ensuring non-repudiation of
             authentication (see Chapter 9). For this chapter, non-repudiation is the method used
             (time stamps, particular protocols, or authentication methods) to ensure that the
             presenter of the authentication request cannot later deny they were the originator
             of the request. In the following sections, authentication methods include presenta-



          www.syngress.com