This is the Title of the Book, eMatter Edition Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved. 52 Chapter 6 CHAPTER 6 Warning Banners This chapter is short, but very important. Every router should have an appropriate warning banner for all login access. These banners, however, are often thought of as pure fluff by those technically inclined. How could a warning banner serve as any protection against a hacker? What hacker is going to go away because a warning banner tells him to? It is important to remember that warning banners are not imple- mented to provide technical protection. They provide legal protection. Legal Issues Because many technicians see warning banners as worthless in the prevention of hack attacks, most systems have no banners. Even if management requires that ban- ners be put in place, most administrators don’t understand what a banner should say to provide legal protection, so even systems that have banners often include ineffec- tual ones. A good warning banner has four main goals. It needs to: • Be legally sufficient for prosecution of intruders • Shield administrators from liability • Warn users about monitoring or recording of system use • Not leak information that could be useful to an attacker Each banner should address the following issues: Authorized users only The banner should specify that this system is for authorized users only. This specification keeps a hacker from claiming ignorance. While not the most effec- tive legal strategy, with the novelty of computers and lack of case law, prosecu- tors are concerned enough about it that it should be included in every banner. ,ch06.23871 Page 52 Friday, February 15, 2002 2:54 PM This is the Title of the Book, eMatter Edition Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved. Legal Issues | 53 Official work In addition to restricting the system to authorized users, the banner should state that the system is to be used for official work only. This statment closes the loophole of an authorized user attempting unauthorized activities. No expectation of privacy Every banner should explicitly state that there is no expectation of privacy when using the system. This statement is extremely important. The Electronic Com- munications Privacy Act makes it illegal to intercept or disclose the contents of electronic communications unless there is explicit notice that users have no expectation of privacy (or the courts grant a wiretap). Without such a warning, an administrator performing routine maintenance might be performing an ille- gal wiretap and violating the law. All access and use may be monitored and/or recorded Elaborating on the previous statement, this explicitly states that all access and use may be monitored and/or recorded. It is important to say may be monitored rather than will be monitored. Computer logs can sometimes be considered hear- say and rendered inadmissible in a court of law. If your banner says that all access will be monitored and you don’t monitor all access, a defending attorney might be able to relegate your entire warning banner to the state of an unen- forced policy and therefore render it useless in court. May be monitored gives you the option of choosing when to perform monitoring. Results may be provided to appropriate officials It is important to inform the user that any monitoring or recording that indi- cates abuse or criminal activity may be turned over to law enforcement or other appropriate officials. Use implies consent Finally, the banner should explicitly state that use of the system implies consent to all conditions laid out in the warning banner. This statement eliminates the possibility of someone claiming that they never agreed to the conditions of the banner and therefore weren’t bound by them. Without banners that display the previous information, you may cripple both your and law enforcement’s ability to investigate any incidents. Additionally, if you do find the attacker, your evidence may not be admissible in court and may destroy your case. Also, many organizations like to put items in banners such as: • Router hardware and software types • Contact information • Location of the router • Name of the administrator All of this information can be invaluable to attackers as they perform reconnaissance on your network. Anything more than the name of your organization should never be put into warning banners. ,ch06.23871 Page 53 Friday, February 15, 2002 2:54 PM This is the Title of the Book, eMatter Edition Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved. 54 | Chapter 6: Warning Banners Finally, it is important to check your local legal requirements. For example, banners in Canada must include both English and French translations. Example Banner This example banner was provided by FBIagent Patrick Gray who works for the FBI’s computer crimes division in Atlanta. It covers all of the issues mentioned earlier. WARNING!!! This system is solely for the use of authorized users for official purposes. You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials. This is a good example of a generic banner that covers the basic needs of a banner. You may want to check with your state’s attorney general to see if there are any more specifics to add that relate to your state’s cybercrime laws. There is a cyberlegend about a case that was dismissed and a hacker let go because the system banner said Welcome to system XYZ…. The story says that the defending attorney argued that because the system banner said Welcome, the hacker had been invited into the system and there was no unauthorized access. The story is fictitious, but because of the lack of cybercrime case law, it’s not good to tempt fate. No mat- ter how nice you are, don’t let your system banners say Welcome. Adding Login Banners You can set four banners on Cisco routers. These banners include: • MOTD banner • Login banner • AAA authentication banner • EXEC banner MOTD Banner The MOTD banner sends users messages of the day and is set with the banner motd command. While it can be used to display the warning banner, it is generally used for more general announcements such as planned outages or system maintenance. ,ch06.23871 Page 54 Friday, February 15, 2002 2:54 PM This is the Title of the Book, eMatter Edition Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved. Adding Login Banners | 55 Login Banner The login banner is presented each time a user attempts to log in. You definitely want to set this banner to the previous warning banner. This banner is set with the banner login command: Router#config terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#banner login $ Enter TEXT message. End with the character '!'. WARNING!!! This system is solely for the use of authorized users for official purposes. You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials. $ Router(config)#^Z Router# Now when users attempt to log into the router, they see the following: % telnet RouterOne Trying RouterOne . Connected to RouterOne. Escape character is '^]'. WARNING!!! This system is solely for the use of authorized users for official purposes. You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials. Username: AAA Authentication Banner If you are using AAA authentication, you can set the AAA authentication banner instead of the login banner. If both are set, both will be displayed. The AAA authen- tication banner is set with the aaa authentication banner command: Router#config terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#aaa authentication banner $ Enter TEXT message. End with the character '$'. ,ch06.23871 Page 55 Friday, February 15, 2002 2:54 PM This is the Title of the Book, eMatter Edition Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved. 56 | Chapter 6: Warning Banners WARNING!!! This system is solely for the use of authorized users for official purposes. You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials. $ Router(config)#^Z Router# EXEC Banner The EXEC banner is displayed after a user has successfully logged in and started an EXEC or shell prompt. It is a good place to provide additional notification to users and to make it even harder for them to claim that they didn’t see the banner. You set the EXEC banner with the banner exec command: Router#config terminal Router(config)#banner exec $ Enter TEXT message. End with the character '$'. REMEMBER!!! This system is solely for the use of authorized users for official purposes. You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials. $ Router(config)#^Z Router# Now users see the banner before and after they log into the system: % telnet RouterOne Trying RouterOne . Connected to RouterOne. Escape character is '^]'. WARNING!!! This system is solely for the use of authorized users for official purposes. You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials. ,ch06.23871 Page 56 Friday, February 15, 2002 2:54 PM This is the Title of the Book, eMatter Edition Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved. Warning Banner Checklist | 57 Username: jdoe Password: REMEMBER!!! This system is solely for the use of authorized users for official purposes. You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials. Router> Warning Banner Checklist This checklist summarizes the important security information presented in this chap- ter. A complete security checklist is provided in Appendix A. • Make sure every router has an appropriate warning banner that includes word- ing that states: — The router is for authorized personnel only. — The router is for official use only. — Users have no expectations of privacy. — All access and use may (not will) be monitored and/or recorded. — Monitoring and/or recording may be turned over to the appropriate authorities. — Use of the system implies consent to the previously mentioned conditions. • Make sure the banner does not say Welcome anywhere in it. • Make sure the banner does not include any identifying information relating to the router, the administrators, or the organization running the router. • Check local legal requirements to make sure the banner contains all necessary language and content. • Use the banner login command to display the banner every time a user attempts to log in. • Use the banner exec command to display the banner a second time every time a user starts an EXEC or shell prompt. ,ch06.23871 Page 57 Friday, February 15, 2002 2:54 PM . CHAPTER 6 Warning Banners This chapter is short, but very important. Every router should have an appropriate warning banner for all login access. These banners, . you are, don’t let your system banners say Welcome. Adding Login Banners You can set four banners on Cisco routers. These banners include: • MOTD banner