Previous section   Next section

Recipe 3.12 Implementing Banners

3.12.1 Problem

You want to implement a banner message to display a security warning.

3.12.2 Solution

The following commands configure various types of banners on a router:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#banner exec  # This is an exec banner #
Router1(config)#banner login # This is a login banner #
Router1(config)#banner motd  $ This is a motd banner  $
Router1(config)#end
Router1#

Note that the router will accept almost any delimiter character as long as the start and end delimiters are identical. These delimiters allow you to make your banner message several lines long. Our first two examples use the pound symbol (#), while the last example uses the dollar sign ($) as a delimiter. Be careful—if the delimiter character appears within the banner message itself, the router will only accept part of the message.

3.12.3 Discussion

Cisco routers support three main types of banners and display them in a strict order. The message of the day (motd) is followed by the login banner before the login prompt, and the router prints the EXEC banner after a successful authentication:

Freebsd% telnet Router1
Trying 172.22.1.4...
Connected to Router1.
Escape character is '^]'.
 This is a motd banner  
 This is a login banner 
   
User Access Verification
   
Username: ijbrown
Password: <xxxxxxxxx>
 This is an exec banner 
Router1>

Login banners are mainly used to display a warning message for security purposes; we will discuss this in a moment. The motd banner derives from the Unix banner bearing the same name. The motd banner is of little use in production environments and is rarely required. The EXEC banner, on the other hand, is useful for displaying administrator messages because it is only presented to authenticated users (much like the Unix motd banner).

Banners are an important and often overlooked part of a good security policy. Although a banner alone will not repel the crafty hacker, it provides a certain level of legal protection. In fact, a well-designed warning message may indeed repel a would-be hacker: the mere threat of legal action can be a wonderful deterrent. If unauthorized users suspect that your organization is serious about legal action, they are less likely to target your devices. We highly recommend implementing login banners on all production routers.

A good login banner should meet the following objectives:

Login banners can simplify the prosecution of hackers who unlawfully access your system by explicitly notifying unauthorized users that their actions are indeed unauthorized. Think of the banner as the electronic equivalent of a sign saying, "trespassers will be prosecuted." Without this sign, somebody could theoretically claim that they didn't know it was a private system. It may not hold up in court, but why take the risk? Laws governing legal notification vary significantly between jurisdictions and situational purpose. We recommend that you clear all proposed banners with your legal department before implementation.

The following banner message show a particularly well-written legal notice that meets all of requirements mentioned earlier. The FBI's Atlanta computer crime squad provided this example banner. Again, please check with your local authorities before creating a warning banner to ensure that it meets your local legal requirements:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#banner login #
Enter TEXT message.  End with the character '#'.
   
+--------------------------------------------------------------------+
|                              WARNING                               |
|                              -------                               |
| This system is solely for the use of authorized users for official | 
| purposes.  You have no expectation of privacy in its use and to    |
| ensure that the system is functioning properly, individuals using  | 
| this computer system are subject to having all of their activities | 
| monitored and recorded by system personnel. Use of this system     | 
| evidences an express consent to such monitoring and agreement that |
| if such monitoring reveals evidence of possible abuse or criminal  |
| activity, system personnel may provide the results of such         |
| monitoring to appropriate officials.                               |
+--------------------------------------------------------------------+
#
Router1(config)#end
Router1#

Starting with Version 12.0(3)T of IOS, Cisco routers began to support banner token functionality. Tokens are variables (listed in Table 3-2) that are embedded within a banner message and serve as substitutes for things such as hostnames and domain names.

Table 3-2. Supported banner tokens list

Token name

Substituted information

$(hostname)

Displays the router's hostname

$(domain)

Displays the configured domain name

$(line)

Displays the active line number

$(line-desc)

Displays a description of the active line

Tokens allow you to distribute a single banner message throughout your network by using variable substitution to make it look slightly different on each device. This ensures that any local differences in the information are always accurate. The banner message can dynamically adapt to changes in hostname or line number, for instance.

Although all banner types support tokens, we recommend using them only in EXEC banners. Since tokens surrender information about the router, it is inappropriate to use them within login or motd banners, which are visible before the user supplies a valid username or password. EXEC banners, on the other hand, are visible only to authenticated users. The following example shows how to configure an EXEC banner with tokens:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#banner exec #
Enter TEXT message.  End with the character '#'.
Welcome, you have connected to router $(hostname).$(domain):     
on line $(line) ($(line-desc)).  
#
Router1(config)#line vty 0 4
Router1(config-line)#location 999 Queen Street West
Router1(config)#end
Router1#exit
Connection closed by foreign host.
Freebsd% telnet Router1
Trying 172.25.1.7...
Connected to Router1.
Escape character is '^]'.
   
   
User Access Verification
   
Password: <vtypassword>
Welcome, you have connected to router Router1.oreilly.com:     
on line 5 (999 Queen Street West).  
   
Router1>

Note that the router substitutes the appropriate router information where the tokens were. For example, it replaces the hostname token, $(hostname), with the hostname, Router1. The domain token, $(domain), is derived from the ip domain-name command. The line token, $(line), is replaced with the active line number. Finally, the line description token, $(line-desc), is derived from the information configured with the location command for this line.

3.12.4 See Also

Recipe 3.13


  Previous section   Next section
Top