This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
52
Chapter 6
CHAPTER 6
Warning Banners
This chapter is short, but very important. Every router should have an appropriate
warning banner for all login access. These banners, however, are often thought of as
pure fluff by those technically inclined. How could a warning banner serve as any
protection against a hacker? What hacker is going to go away because a warning
banner tells him to? It is important to remember that warning banners are not imple-
mented to provide technical protection. They provide legal protection.
Legal Issues
Because many technicians see warning banners as worthless in the prevention of
hack attacks, most systems have no banners. Even if management requires that ban-
ners be put in place, most administrators don’t understand what a banner should say
to provide legal protection, so even systems that have banners often include ineffec-
tual ones.
A good warning banner has four main goals. It needs to:
• Be legally sufficient for prosecution of intruders
• Shield administrators from liability
• Warn users about monitoring or recording of system use
• Not leak information that could be useful to an attacker
Each banner should address the following issues:
Authorized users only
The banner should specify that this system is for authorized users only. This
specification keeps a hacker from claiming ignorance. While not the most effec-
tive legal strategy, with the novelty of computers and lack of case law, prosecu-
tors are concerned enough about it that it should be included in every banner.
,ch06.23871 Page 52 Friday, February 15, 2002 2:54 PM
This is the Title of the Book, eMatter Edition

Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
Legal Issues
|
53
Official work
In addition to restricting the system to authorized users, the banner should state
that the system is to be used for official work only. This statment closes the
loophole of an authorized user attempting unauthorized activities.
No expectation of privacy
Every banner should explicitly state that there is no expectation of privacy when
using the system. This statement is extremely important. The Electronic Com-
munications Privacy Act makes it illegal to intercept or disclose the contents of
electronic communications unless there is explicit notice that users have no
expectation of privacy (or the courts grant a wiretap). Without such a warning,
an administrator performing routine maintenance might be performing an ille-
gal wiretap and violating the law.
All access and use may be monitored and/or recorded
Elaborating on the previous statement, this explicitly states that all access and
use may be monitored and/or recorded. It is important to say may be monitored
rather than will be monitored. Computer logs can sometimes be considered hear-
say and rendered inadmissible in a court of law. If your banner says that all
access will be monitored and you don’t monitor all access, a defending attorney
might be able to relegate your entire warning banner to the state of an unen-
forced policy and therefore render it useless in court. May be monitored gives you
the option of choosing when to perform monitoring.
Results may be provided to appropriate officials
It is important to inform the user that any monitoring or recording that indi-
cates abuse or criminal activity may be turned over to law enforcement or other
appropriate officials.
Use implies consent

Finally, the banner should explicitly state that use of the system implies consent
to all conditions laid out in the warning banner. This statement eliminates the
possibility of someone claiming that they never agreed to the conditions of the
banner and therefore weren’t bound by them.
Without banners that display the previous information, you may cripple both your and
law enforcement’s ability to investigate any incidents. Additionally, if you do find the
attacker, your evidence may not be admissible in court and may destroy your case.
Also, many organizations like to put items in banners such as:
• Router hardware and software types
• Contact information
• Location of the router
• Name of the administrator
All of this information can be invaluable to attackers as they perform reconnaissance
on your network. Anything more than the name of your organization should never
be put into warning banners.
,ch06.23871 Page 53 Friday, February 15, 2002 2:54 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
54
|
Chapter 6: Warning Banners
Finally, it is important to check your local legal requirements. For example, banners
in Canada must include both English and French translations.
Example Banner
This example banner was provided by FBIagent Patrick Gray who works for the FBI’s
computer crimes division in Atlanta. It covers all of the issues mentioned earlier.
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject

to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
This is a good example of a generic banner that covers the basic needs of a banner.
You may want to check with your state’s attorney general to see if there are any more
specifics to add that relate to your state’s cybercrime laws.
There is a cyberlegend about a case that was dismissed and a hacker
let go because the system banner said Welcome to system XYZ…. The
story says that the defending attorney argued that because the system
banner said Welcome, the hacker had been invited into the system and
there was no unauthorized access. The story is fictitious, but because
of the lack of cybercrime case law, it’s not good to tempt fate. No mat-
ter how nice you are, don’t let your system banners say Welcome.
Adding Login Banners
You can set four banners on Cisco routers. These banners include:
• MOTD banner
• Login banner
• AAA authentication banner
• EXEC banner
MOTD Banner
The MOTD banner sends users messages of the day and is set with the banner motd
command. While it can be used to display the warning banner, it is generally used for
more general announcements such as planned outages or system maintenance.
,ch06.23871 Page 54 Friday, February 15, 2002 2:54 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
Adding Login Banners
|

55
Login Banner
The login banner is presented each time a user attempts to log in. You definitely
want to set this banner to the previous warning banner. This banner is set with the
banner login command:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#banner login $
Enter TEXT message. End with the character '!'.
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
$
Router(config)#^Z
Router#
Now when users attempt to log into the router, they see the following:
% telnet RouterOne
Trying RouterOne...
Connected to RouterOne.
Escape character is '^]'.
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject

to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
Username:
AAA Authentication Banner
If you are using AAA authentication, you can set the AAA authentication banner
instead of the login banner. If both are set, both will be displayed. The AAA authen-
tication banner is set with the aaa authentication banner command:
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa authentication banner $
Enter TEXT message. End with the character '$'.
,ch06.23871 Page 55 Friday, February 15, 2002 2:54 PM
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
56
|
Chapter 6: Warning Banners
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
$

Router(config)#^Z
Router#
EXEC Banner
The EXEC banner is displayed after a user has successfully logged in and started an
EXEC or shell prompt. It is a good place to provide additional notification to users
and to make it even harder for them to claim that they didn’t see the banner. You set
the EXEC banner with the banner exec command:
Router#config terminal
Router(config)#banner exec $
Enter TEXT message. End with the character '$'.
REMEMBER!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
$
Router(config)#^Z
Router#
Now users see the banner before and after they log into the system:
% telnet RouterOne
Trying RouterOne...
Connected to RouterOne.
Escape character is '^]'.
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system

is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
,ch06.23871 Page 56 Friday, February 15, 2002 2:54 PM