Implementing Banners
Problem
You want to implement a banner message to display a security warning.
Solution
The following commands configure various types of banners on a router:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#banner exec # This is an exec banner #
Router1(config)#banner login # This is a login banner #
Router1(config)#banner motd $ This is a motd banner $
Router1(config)#end
Router1#
Notice that the router accept almost any delimiter character, as long as the start and end delimiter is identical. These delimiters allow you to make your banner message several lines long. Our first two examples use the pound symbol, #, while the last example uses the dollar sign, $, as a delimiter. You have to be slightly careful that you don't use the delimiter character within the banner message itself or the router will accept only part of the message.
Discussion
Cisco routers support three main types of banners and display them in strict order. First the Message of the Day (motd) and then the login banner appear before the login prompt, and the router prints the exec banner after successful authentication:
Freebsd% telnet Router1
Trying 172.22.1.4...
Connected to Router1.
Escape character is '^]'.
This is a motd banner
This is a login banner
User Access Verification
Username: ijbrown
Password:
This is an exec banner
Router1>
Login banners are mainly used to display a warning message for security purposes, which we will discuss in a moment. The motd banner derives from the Unix banner bearing the same name. The Cisco motd banner is of little use in production environments and is rarely used. The EXEC banner, on the other hand, is useful for displaying administrator messages, much like the Unix motd banner, since it is presented only to authenticated users.
Banners are an important and often overlooked part of a good security policy. Although a banner alone will not repel the crafty hacker, it will provide a certain level of legal protection. In fact, a well designed warning message may indeed repel a would-be hacker, since the mere threat of legal action can be a wonderful deterrent. If unauthorized users suspect that your organization is serious about legal action, then they are less likely to target your devices. So we highly recommend implementing login banners on all production routers.
A good login banner should meet the following objectives:
-
It should notify people who attempt to access the router that unauthorized use is prohibited and only authorized users with official business are permitted.
-
It should mention that users should have no expectation of privacy since all activities may be monitored and/or recorded without further notification.
-
The banner should remind users that unauthorized access is unlawful and that recorded logs may be used in legal action.
-
Most importantly, the banner shouldn't surrender sensitive information about the router, your organization, or any other piece of information that can aid a hacker.
Laws governing legal notification vary significantly between jurisdictions and situational purposes. We recommend that you clear all proposed banners with your legal department before implementation. In addition, we strongly suggest that you include a proper legal notification, in the form of a login banner, on all of the routers that you manage. Doing so can simplify the prosecution of hackers that unlawfully access your systems by explicitly notifying unauthorized users that their actions are indeed unauthorized. Think of the banner as the electronic equivalent of a sign saying, "trespassers will be prosecuted." Without this sign, somebody could theoretically claim that they didn't know it was a private system. It may not hold up in court, but why take the risk?
The following banner message shows a particularly well-written legal notice that meets all of requirements mentioned earlier. The FBI's Atlanta computer crime squad provided this sample banner. Again, please check with your local authorities before creating a warning banner to ensure that it meets you local legal requirements:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#banner login #
Enter TEXT message. End with the character '#'.
+--------------------------------------------------------------------+
| WARNING |
| ------- |
| This system is solely for the use of authorized users for official |
| purposes. You have no expectation of privacy in its use and to |
| ensure that the system is functioning properly, individuals using |
| this computer system are subject to having all of their activities |
| monitored and recorded by system personnel. Use of this system |
| evidences an express consent to such monitoring and agreement that |
| if such monitoring reveals evidence of possible abuse or criminal |
| activity, system personnel may provide the results of such |
| monitoring to appropriate officials. |
+--------------------------------------------------------------------+
#
Router1(config)#end
Router1#
Starting with Version 12.0(3)T of IOS, Cisco routers began to support banner token functionality. Tokens are variables embedded within a banner message that substitute such things as hostname and domain name. You can find a complete list of tokens in Table 3-2.
Token name | Substituted information |
---|---|
$(hostname) | Displays the router's hostname |
$(domain) | Displays the configured domain name |
$(line) | Displays the active line number |
$(line-desc) | Displays a description of the active line |
Tokens allow you to distribute a single banner message throughout your network using variable substitution to make it look slightly different on each device. This ensures that any local differences in the information are always accurate. The banner message can dynamically adapt to changes in hostname or line number, for instance.
Although all banner types support tokens, we recommend only using them in EXEC banners. Since tokens surrender information about the router, it is inappropriate to use them within login or motd banners, which are visible before the user supplies a valid username or password. EXEC banners, on the other hand, are only visible to authenticated users. The following example shows how to configure an EXEC banner with tokens:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#banner exec #
Enter TEXT message. End with the character '#'.
Welcome, you have connected to router $(hostname).$(domain):
on line $(line) ($(line-desc)).
#
Router1(config)#line vty 0 4
Router1(config-line)#location 999 Queen Street West
Router1(config)#end
Router1#exit
Connection closed by foreign host.
Freebsd% telnet Router1
Trying 172.25.1.7...
Connected to Router1.
Escape character is '^]'.
User Access Verification
Password:
Welcome, you have connected to router Router1.oreilly.com:
on line 5 (999 Queen Street West).
Router1>
Notice that the router substitutes the appropriate router information where the tokens were. For example, it replaces the hostname token, $(hostname), with the hostname, Router1. The domain token, $(domain), is derived from the ip domain-name command. The line token, $(line), is replaced with the active line number. Finally, the line description token, $(line-desc), is derived from the line's configured location using the location command.