Why is it important to configure a banner message on a device?

Have you ever used Telnet or SSH to access a Cisco device’s CLI, and noticed when logging in you are presented with a banner with a scary looking disclaimer, as follows:

Índice Show

Configuration
Motd (Message of the day)
MOTD Banner
Login banner
Exec banner

This may seem like an idle threat to steer away those who would aim to try and access the device for malicious purposes, but it actually constitutes a legal contract because at this point if someone attempts to gain access when they are not meant to, they are openly accepting your written policies and then defying it. If you managed to catch this person you’d be able to take legal action against them.

This banner covers more than just unauthorised access, it means that an authorised but disgruntled employee can’t perform unofficial (malicious) work upon the device and would be subject to legal action if they did.

Below is a list of conditions that you want to cover when creating your banner:

The router is only for those who are authorised – This helps stop crooks from claiming ignorance.
Those who are authorised can only do official work on it – This is so that authorised members can’t do anything malicious and closes a loophole made in the above point.
All login attempts and usage of the device may (NOT WILL!) be monitored/recorded – It’s very important we don’t say “Will” as logs aren’t fully trusted and can be deemed hearsay, you can’t trust that your system won’t miss a log so you can’t say that all are logged as a defendant can argue/prove that some logs are missed and this will render the whole banner useless.
Should actions be deemed abusive or illegal then the monitored/recorded logs may be turned over to law enforcement – This helps as a deterrent, and if you do hand their information over you’re not breaking their privacy which brings us to the next point
There should be no expectation of privacy – I can’t stress enough how important this is, the Electronic Communications Privacy act makes it illegal to intercept/disclose the contents of electronic communications unless we explicitly say that there is no expectation of privacy, this allows us to produce the logs to the court.
The use of the system implies acceptances of all conditions you specify – otherwise even with all the above conditions it’s possible to plead ignorant as you had never accepted any of the conditions.

Most of the above applies to US law, but works very well in EU/UK law especially GDPR as this will cover a lot of tracks and ensures you have a better chance at winning a law case against any malicious perpetrators you manage to track down.

Configuration

There are 3 main banners that one needs to really know about: Exec, login and motd.

Login

This banner is displayed before you log into the device, and should be the banner with your legal notice as previously described. The command for this is banner login <break character>

Banner login #

===============================================

| BANNER |

===============================================

The above shows the easiest way to create a banner, we first type banner login to begin, then put a ‘#’ to mark the breaking character, it basically means that the contents of the banner will be between that break character and another, as you see above there are two ‘#’s and all that is in between becomes the banner, as soon as I type the final break character (‘#’) and press enter, I will go back into configuration mode and the banner will be applied.

Motd (Message of the day)

This banner shows after a user has logged into the router with valid credentials, this message should typically be a maintenance message telling authorized users any planned works or reminding them this is for official work only.

This can be configured with banner motd <break character> similar to the previous entry.

Exec

The executive banner appears when a user enters privilege exec mode from user mode, or put simply, enters the enable command and types in the correct password. This banner should be configured to remind users they are in exec mode, so they are able to make changes to the configuration.

This can be configured with banner exec <break character>.

Cisco IOS devices support a number of banners that are presented to users when they use the console line or when they connect remotely using telnet or SSH. They are often used to inform users about their legal rights. It might be a good idea to present a banner to users who are trying to connect to your device, here are some items you might want to think about:

To show that only authorized users are allowed to connect.
That all traffic will be monitored.
That there is no expectation of privacy.
Don’t use anything that says “welcome”.
Don’t add any contact information or information about the router in the banner.

here’s a good example on the website of the California Technology Agency that gives you more information about what a good banner should contain and some sample texts. Before you implement any banners, make sure to check your legal council first. Having said that, let’s look at the different banners…

Cisco IOS routers support a number of banners, here they are:

MOTD banner: the “message of the day” banner is presented to everyone that connects to the router.
Login banner: this one is displayed just before the authentication prompt.
Exec banner: displayed before the user sees the exec prompt.
Incoming banner: used for users that connect through reverse telnet.

We’ll take a look at how to configure these different banners now.

We’ll start with the message of the day banner that will be presented to anyone accessing the router:

R1(config)#banner motd # Enter TEXT message. End with the character '#'. Authorized users only, violaters will be shot on sight! #

The # symbol is a start and stop character. You can use any other character if you want. This is what the MOTD banner looks like:

R1#exit R1 con0 is now available Press RETURN to get started. Authorized users only, violaters will be shot on sight!

A nice and welcome banner that everyone will see…let’s move on to the login banner now.

The login banner is presented to users that access the router remotely using telnet or SSH:

R1(config)#banner login $ Authenticate yourself! $

Let’s try it out:

R1#telnet 1.1.1.1 Trying 1.1.1.1 ... Open Authorized users only, violaters will be shot on sight! Authenticate yourself!

Above you see that the login banner is displayed after the MOTD banner. It would have been better if I added some empty lines so that the login banner would show up below the MOTD banner.

The exec banner is shown just before the exec prompt:

R1(config)#banner exec # Enter TEXT message. End with the character '#'. You are connected to line $(line) at router $(hostname) #

This time I added an extra line in the banner and I also used some operators like $(line) and $(hostname). Let’s see what that looks like:

Although requiring passwords is one way to keep unauthorized personnel out of a network, it is vital to provide a method for declaring that only authorized personnel should attempt to gain entry into the device. To do this, add a banner to the device output.

Banners can be an important part of the legal process in the event that someone is prosecuted for breaking into a device. Some legal systems do not allow prosecution, or even the monitoring of users, unless a notification is visible.

The exact content or wording of a banner depends on the local laws and corporate policies. Here are some examples of information to include in a banner:

"Use of the device is specifically for authorized personnel."

"Activity may be monitored."

"Legal action will be pursued for any unauthorized use."

Because banners can be seen by anyone who attempts to log in, the message must be worded very carefully. Any wording that implies that a login is "welcome" or "invited" is not appropriate. If a person disrupts the network after gaining unauthorized entry, proving liability will be difficult if there is the appearance of an invitation.

The creation of banners is a simple process; however, banners should be used appropriately. When a banner is utilized it should never welcome someone to the device. It should detail that only authorized personnel are allowed to access the device. Further, the banner can include scheduled system shutdowns and other information that affects all network users.

The IOS provides multiple types of banners. One common banner is the message of the day (MOTD). It is often used for legal notification because it is displayed to all connected terminals.

Configure MOTD using the banner motd command from global configuration mode.

The banner motd command requires the use of delimiters to identify the content of the banner message. The banner motd command is followed by a space and a delimiting character. Then, one or more lines of text are entered to represent the banner message. A second occurrence of the delimiting character denotes the end of the message. The delimiting character can be any character as long as it does not occur in the message. For this reason, symbols such as the "#" are often used.

The syntax to configure a MOTD, from global configuration mode is:

Switch(config)# banner motd # message #

Once the command is executed, the banner will be displayed on all subsequent attempts to access the device until the banner is removed.

The example in the figure illustrates a banner configured with the delimiting "#" symbol. Notice how the banner is now displayed when accessing the switch.