Overview

Banner messages are easy to configure, but the language of the message is important for legal protection.

It’s possible that after tightening security in your network(s), an investigation into an incident and/or prosecution of a malicious actor can be inhibited because of an inadequate banner message.

This article explains elements of a banner message for good legal protection. It also contains a sample banner with configurations examples.

Elements of a Good Banner Message

A good warning banner has four main goals:

  • Protect engineers / administrators from liability
  • Not give information that could be useful to an attacker
  • Notify users about the possible monitoring or recording of system use
  • Be legally sufficient to enable incidents to be investigated by law enforcement and to prosecute malicious actors

To accomplish the four main goals listed above each banner should have language to address the following issues:

  • Authorized users only
  • Official work
  • No expectation of privacy
  • All access and use may be monitored and/or recorded
  • Use implies consent
  • Results may be provided to appropriate officials

Sample Banner

Below is language for a banner with explanations.

This example banner was provided by Former FBI agent Patrick Gray who worked for the FBI’s computer crimes division in Atlanta. After retiring from the FBI, he joined Cisco Systems, Inc. to serve as the Director of X-Force Operations.

WARNING!!!
This system is solely for the use of authorized users for official purposes. You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials.

Here is the above banner with explanations for the language:

WARNING!!!
This system is solely for the use of authorized users for official purposes.
– Authorized users only: Hackers can’t claim ignorance.
– Official work: Addresses an authorized user attempting unauthorized activities.

You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel.
– No expectation of privacy: This allows an administratot to do routine maintenance without violating the Electronic Communications Privacy Act.
– All access and use may be monitored and/or recorded: Using the word “will” instead of “may” can cause legal problems.

Elements to Exclude

It’s also important not to give an attacker too much information about the company and/or device if they should read the banner message. We don’t want to give valuable information to a hacker.

The following should be excluded from Banner messages:

  • Any information about the origination (i.e. company name)
  • Contact information for the administrator or other personnel
  • Router hardware and software information
  • Any kind of language like “Welcome” – Legally this could be seen as an invitation.

Local Regulations

Different legal jurisdictions may have different laws. Some locations, for example, may require that the banner be in more than one language.

Banner Configuration

Cisco routers have four banner types:

  • MOTD
  • Login
  • AAA Authentication
  • EXEC

It’s a good idea to, at a minimum, to use the login banner and the exec banner with legal language. This makes a malicious actor’s claim that they didn’t see the legal message weak.

MOTD Banner

The Message of the Day (MOTD) banner is displayed after a device boots and after remotely connecting to a device, but before login.

It can be used for temporary messages (i.e. notify of a maintenance window) and it’s also a good place to have legal language. Before a user even tries to log in, they’ve been warned.

The “$” denotes where the banner message starts and ends. Other characters can be used, but avoid characters that are already reserved by the device’s operating system.

R-1(config)#banner motd $ 
Enter TEXT message.  End with the character '$'. 
Enter banner language here   
$

Login Banner

The Login Banner is displayed before the login authentication prompt.

R-1(config)#banner login $
Enter TEXT message.  End with the character '$'.
Enter Login Banner language here.
$

AAA Authentication Banner

The AAA authentication banner is displayed after AAA authentication.

The AAA authentication banner can be used instead of the login banner.

If both are set, both will be displayed.

R-1(config)#aaa authentication banner $ 
Enter TEXT message.  End with the character '$'. 
Enter aaa authentication banner language here. 
$

EXEC Banner

The Exec Banner is displayed immediately after login.

R-1(config)#banner exec $ 
Enter TEXT message.  End with the character '$'. 
Enter Exec Banner language here. 
$

Resources

Hardening Cisco Routers by Thomas Akin
Spoke.com – Patrick Gray’s career information.

This article is for educational purposes and is not a substituent for professional legal advice.

This site uses Akismet to reduce spam. Learn how your comment data is processed.