Have you ever used Telnet or SSH to access a Cisco device’s CLI, and noticed when logging in you are presented with a banner with a scary looking disclaimer, as follows:

This may seem like an idle threat to steer away those who would aim to try and access the device for malicious purposes, but it actually constitutes a legal contract because at this point if someone attempts to gain access when they are not meant to, they are openly accepting your written policies and then defying it. If you managed to catch this person you’d be able to take legal action against them.

This banner covers more than just unauthorised access, it means that an authorised but disgruntled employee can’t perform unofficial (malicious) work upon the device and would be subject to legal action if they did.

Below is a list of conditions that you want to cover when creating your banner:

• The router is only for those who are authorised – This helps stop crooks from claiming ignorance.
• Those who are authorised can only do official work on it – This is so that authorised members can’t do anything malicious and closes a loophole made in the above point.
• All login attempts and usage of the device may (NOT WILL!) be monitored/recorded – It’s very important we don’t say “Will” as logs aren’t fully trusted and can be deemed hearsay, you can’t trust that your system won’t miss a log so you can’t say that all are logged as a defendant can argue/prove that some logs are missed and this will render the whole banner useless.
• Should actions be deemed abusive or illegal then the monitored/recorded logs may be turned over to law enforcement – This helps as a deterrent, and if you do hand their information over you’re not breaking their privacy which brings us to the next point
• There should be no expectation of privacy – I can’t stress enough how important this is, the Electronic Communications Privacy act makes it illegal to intercept/disclose the contents of electronic communications unless we explicitly say that there is no expectation of privacy, this allows us to produce the logs to the court.
• The use of the system implies acceptances of all conditions you specify – otherwise even with all the above conditions it’s possible to plead ignorant as you had never accepted any of the conditions.

Most of the above applies to US law, but works very well in EU/UK law especially GDPR as this will cover a lot of tracks and ensures you have a better chance at winning a law case against any malicious perpetrators you manage to track down.

Configuration

There are 3 main banners that one needs to really know about: Exec, login and motd.

Login

This banner is displayed before you log into the device, and should be the banner with your legal notice as previously described. The command for this is banner login <break character>

Banner login #

===============================================

|                                         BANNER                                             |

===============================================

#

The above shows the easiest way to create a banner, we first type banner login to begin, then put a ‘#’ to mark the breaking character, it basically means that the contents of the banner will be between that break character and another, as you see above there are two ‘#’s and all that is in between becomes the banner, as soon as I type the final break character (‘#’) and press enter, I will go back into configuration mode and the banner will be applied.

Motd (Message of the day)

This banner shows after a user has logged into the router with valid credentials, this message should typically be a maintenance message telling authorized users any planned works or reminding them this is for official work only.

This can be configured with banner motd <break character> similar to the previous entry.

Exec

The executive banner appears when a user enters privilege exec mode from user mode, or put simply, enters the enable command and types in the correct password. This banner should be configured to remind users they are in exec mode, so they are able to make changes to the configuration.

This can be configured with banner exec <break character>.