You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities
Trang 1Chapter 6
CHAPTER 6
Warning Banners
This chapter is short, but very important Every router should have an appropriate warning banner for all login access These banners, however, are often thought of as pure fluff by those technically inclined How could a warning banner serve as any protection against a hacker? What hacker is going to go away because a warning banner tells him to? It is important to remember that warning banners are not imple-mented to provide technical protection They provide legal protection
Legal Issues
Because many technicians see warning banners as worthless in the prevention of hack attacks, most systems have no banners Even if management requires that ban-ners be put in place, most administrators don’t understand what a banner should say
to provide legal protection, so even systems that have banners often include ineffec-tual ones
A good warning banner has four main goals It needs to:
• Be legally sufficient for prosecution of intruders
• Shield administrators from liability
• Warn users about monitoring or recording of system use
• Not leak information that could be useful to an attacker
Each banner should address the following issues:
Authorized users only
The banner should specify that this system is for authorized users only This specification keeps a hacker from claiming ignorance While not the most effec-tive legal strategy, with the novelty of computers and lack of case law, prosecu-tors are concerned enough about it that it should be included in every banner
Trang 2Official work
In addition to restricting the system to authorized users, the banner should state that the system is to be used for official work only This statment closes the loophole of an authorized user attempting unauthorized activities
No expectation of privacy
Every banner should explicitly state that there is no expectation of privacy when using the system This statement is extremely important The Electronic Com-munications Privacy Act makes it illegal to intercept or disclose the contents of electronic communications unless there is explicit notice that users have no expectation of privacy (or the courts grant a wiretap) Without such a warning,
an administrator performing routine maintenance might be performing an ille-gal wiretap and violating the law
All access and use may be monitored and/or recorded
Elaborating on the previous statement, this explicitly states that all access and
use may be monitored and/or recorded It is important to say may be monitored rather than will be monitored Computer logs can sometimes be considered
hear-say and rendered inadmissible in a court of law If your banner hear-says that all
access will be monitored and you don’t monitor all access, a defending attorney
might be able to relegate your entire warning banner to the state of an
unen-forced policy and therefore render it useless in court May be monitored gives you
the option of choosing when to perform monitoring
Results may be provided to appropriate officials
It is important to inform the user that any monitoring or recording that indi-cates abuse or criminal activity may be turned over to law enforcement or other appropriate officials
Use implies consent
Finally, the banner should explicitly state that use of the system implies consent
to all conditions laid out in the warning banner This statement eliminates the possibility of someone claiming that they never agreed to the conditions of the banner and therefore weren’t bound by them
Without banners that display the previous information, you may cripple both your and law enforcement’s ability to investigate any incidents Additionally, if you do find the attacker, your evidence may not be admissible in court and may destroy your case Also, many organizations like to put items in banners such as:
• Router hardware and software types
• Contact information
• Location of the router
• Name of the administrator
All of this information can be invaluable to attackers as they perform reconnaissance
on your network Anything more than the name of your organization should never
Trang 354 | Chapter 6: Warning Banners
Finally, it is important to check your local legal requirements For example, banners
in Canada must include both English and French translations
Example Banner
This example banner was provided by FBIagent Patrick Gray who works for the FBI’s computer crimes division in Atlanta It covers all of the issues mentioned earlier
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
This is a good example of a generic banner that covers the basic needs of a banner You may want to check with your state’s attorney general to see if there are any more specifics to add that relate to your state’s cybercrime laws
There is a cyberlegend about a case that was dismissed and a hacker
let go because the system banner said Welcome to system XYZ… The
story says that the defending attorney argued that because the system
banner said Welcome, the hacker had been invited into the system and
there was no unauthorized access The story is fictitious, but because
of the lack of cybercrime case law, it’s not good to tempt fate No
mat-ter how nice you are, don’t let your system banners say Welcome.
Adding Login Banners
You can set four banners on Cisco routers These banners include:
• MOTD banner
• Login banner
• AAA authentication banner
• EXEC banner
MOTD Banner
The MOTD banner sends users messages of the day and is set with the banner motd
command While it can be used to display the warning banner, it is generally used for more general announcements such as planned outages or system maintenance
Trang 4Login Banner
The login banner is presented each time a user attempts to log in You definitely want to set this banner to the previous warning banner This banner is set with the
banner login command:
Router#config terminal
Enter configuration commands, one per line End with CNTL/Z.
Router(config)#banner login $
Enter TEXT message End with the character '!'.
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
$
Router(config)#^Z
Router#
Now when users attempt to log into the router, they see the following:
% telnet RouterOne
Trying RouterOne
Connected to RouterOne.
Escape character is '^]'.
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
Username:
AAA Authentication Banner
If you are using AAA authentication, you can set the AAA authentication banner instead of the login banner If both are set, both will be displayed The AAA
authen-tication banner is set with the aaa authenauthen-tication banner command:
Router#config terminal
Enter configuration commands, one per line End with CNTL/Z.
Router(config)#aaa authentication banner $
Enter TEXT message End with the character '$'.
Trang 556 | Chapter 6: Warning Banners
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
$
Router(config)#^Z
Router#
EXEC Banner
The EXEC banner is displayed after a user has successfully logged in and started an EXEC or shell prompt It is a good place to provide additional notification to users and to make it even harder for them to claim that they didn’t see the banner You set
the EXEC banner with the banner exec command:
Router#config terminal
Router(config)#banner exec $
Enter TEXT message End with the character '$'.
REMEMBER!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
$
Router(config)#^Z
Router#
Now users see the banner before and after they log into the system:
% telnet RouterOne
Trying RouterOne
Connected to RouterOne.
Escape character is '^]'.
WARNING!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
Trang 6Username: jdoe
Password:
REMEMBER!!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
Router>
Warning Banner Checklist
This checklist summarizes the important security information presented in this chap-ter A complete security checklist is provided in Appendix A
• Make sure every router has an appropriate warning banner that includes word-ing that states:
— The router is for authorized personnel only
— The router is for official use only
— Users have no expectations of privacy
— All access and use may (not will) be monitored and/or recorded
— Monitoring and/or recording may be turned over to the appropriate authorities
— Use of the system implies consent to the previously mentioned conditions
• Make sure the banner does not say Welcome anywhere in it.
• Make sure the banner does not include any identifying information relating to the router, the administrators, or the organization running the router
• Check local legal requirements to make sure the banner contains all necessary language and content
• Use the banner login command to display the banner every time a user attempts
to log in
• Use the banner exec command to display the banner a second time every time a
user starts an EXEC or shell prompt