Every router should have an appropriate warning banner for all login access. These banners, however, are often thought of as pure fluff by those technically inclined. How could a warning banner serve as any protection against a hacker? What hacker is going to go away because a warning banner tells him to? It is important to remember that warning banners are not implemented to provide technical protection. They provide legal protection.
Because many technicians see warning banners as worthless in the prevention of hack attacks, most systems have no banners. Even if management requires that banners be put in place, most administrators don't understand what a banner should say to provide legal protection, so even systems that have banners often include ineffectual ones.
A good warning banner has four main goals. It needs to:
-
Be legally sufficient for prosecution of intruders
-
Shield administrators from liability
-
Warn users about monitoring or recording of system use
-
Not leak information that could be useful to an attacker
Each banner should address the following issues:
- Authorized users only
-
The banner should specify that this system is for authorized users only. This specification keeps a hacker from claiming ignorance. While not the most effective legal strategy, with the novelty of computers and lack of case law, prosecutors are concerned enough about it that it should be included in every banner.
- Official work
-
In addition to restricting the system to authorized users, the banner should state that the system is to be used for official work only. This statment closes the loophole of an authorized user attempting unauthorized activities.
- No expectation of privacy
-
Every banner should explicitly state that there is no expectation of privacy when using the system. This statement is extremely important. The Electronic Communications Privacy Act makes it illegal to intercept or disclose the contents of electronic communications unless there is explicit notice that users have no expectation of privacy (or the courts grant a wiretap). Without such a warning, an administrator performing routine maintenance might be performing an illegal wiretap and violating the law.
- All access and use may be monitored and/or recorded
-
Elaborating on the previous statement, this explicitly states that all access and use may be monitored and/or recorded. It is important to say may be monitored rather than will be monitored. Computer logs can sometimes be considered hearsay and rendered inadmissible in a court of law. If your banner says that all access will be monitored and you don't monitor all access, a defending attorney might be able to relegate your entire warning banner to the state of an unenforced policy and therefore render it useless in court. May be monitored gives you the option of choosing when to perform monitoring.
- Results may be provided to appropriate officials
-
It is important to inform the user that any monitoring or recording that indicates abuse or criminal activity may be turned over to law enforcement or other appropriate officials.
- Use implies consent
-
Finally, the banner should explicitly state that use of the system implies consent to all conditions laid out in the warning banner. This statement eliminates the possibility of someone claiming that they never agreed to the conditions of the banner and therefore weren't bound by them.
Without banners that display the previous information, you may cripple both your and law enforcement's ability to investigate any incidents. Additionally, if you do find the attacker, your evidence may not be admissible in court and may destroy your case. Also, many organizations like to put items in banners such as:
All of this information can be invaluable to attackers as they perform reconnaissance on your network. Anything more than the name of your organization should never be put into warning banners.
Finally, it is important to check your local legal requirements. For example, banners in Canada must include both English and French translations.
This example banner was provided by FBI agent Patrick Gray who works for the FBI's computer crimes division in Atlanta. It covers all of the issues mentioned earlier.
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
This is a good example of a generic banner that covers the basic needs of a banner. You may want to check with your state's attorney general to see if there are any more specifics to add that relate to your state's cybercrime laws.
You can set four banners on Cisco routers. These banners include:
The MOTD banner sends users messages of the day and is set with the banner motd command. While it can be used to display the warning banner, it is generally used for more general announcements such as planned outages or system maintenance.
The login banner is presented each time a user attempts to log in. You definitely want to set this banner to the previous warning banner. This banner is set with the banner login command:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#banner login $
Enter TEXT message. End with the character '!'.
WARNING!!!
This system is solely for the use of authorized users for official purposes
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials
$
Router(config)#^Z
Router#
Now when users attempt to log into the router, they see the following:
% telnet RouterOne
Trying RouterOne...
Connected to RouterOne.
Escape character is '^]'.
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
Username:
AAA Authentication Banner
If you are using AAA authentication, you can set the AAA authentication banner instead of the login banner. If both are set, both will be displayed. The AAA authentication banner is set with the aaa authentication banner command:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa authentication banner $
Enter TEXT message. End with the character '$'.
WARNING!!!
This system is solely for the use of authorized users for official purposes
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials
$
Router(config)#^Z
Router#
The EXEC banner is displayed after a user has successfully logged in and started an EXEC or shell prompt. It is a good place to provide additional notification to users and to make it even harder for them to claim that they didn't see the banner. You set the EXEC banner with the banner exec command:
Router#config terminal
Router(config)#banner exec $
Enter TEXT message. End with the character '$'.
REMEMBER!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
$
Router(config)#^Z
Router#
Now users see the banner before and after they log into the system:
% telnet RouterOne
Trying RouterOne...
Connected to RouterOne.
Escape character is '^]'.
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
Username: jdoe
Password:
REMEMBER!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
Router>
This checklist summarizes the important security information
-
Make sure every router has an appropriate warning banner that includes wording that states:
-
The router is for authorized personnel only.
-
The router is for official use only.
-
Users have no expectations of privacy.
-
All access and use may (not will) be monitored and/or recorded.
-
Monitoring and/or recording may be turned over to the appropriate authorities.
-
Use of the system implies consent to the previously mentioned conditions.
-
Make sure the banner does not say Welcome anywhere in it.
-
Make sure the banner does not include any identifying information relating to the router, the administrators, or the organization running the router.
-
Check local legal requirements to make sure the banner contains all necessary language and content.
-
Use the banner login command to display the banner every time a user attempts to log in.
-
Use the banner exec command to display the banner a second time every time a user starts an EXEC or shell prompt.
