7.7 Ensure Virtual Disributed Switch Netflow traffic is sent to an authorized collector

Information

The vSphere VDS can export Netflow information about traffic crossing the VDS. These exports are not encrypted and can contain information about the virtual network making it easier for a Man in the Middle attack to be executed successfully.

Rationale:

If Netflow export is required, verify that all VDS Netflow target systems are approved collectors by confirming the IP's are set correctly.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Using the vSphere Web Client

For each distributed switch

Go to 'Configure' -> 'Settings' -> 'NetFlow'.

Click 'Edit'

Set the 'Collector IP address' and 'Collector port' to the organization approved systems.

Additionally, the following PowerCLI command may be used

'# Disable Netfow for a VDPortgroup
$DPortgroup = <name of portgroup>
Get-VDPortgroup $DPortGroup | Disable-PGNetflow

#Function for Disable-PGNetflow
#From: http://www.virtu-al.net/2013/07/23/disabling-netflow-with-powercli/

Function Disable-PGNetflow {
[CmdletBinding()]
Param (
[Parameter(ValueFromPipeline=$true)]
$DVPG
)
Process {
Foreach ($PG in $DVPG) {
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $PG.Extensiondata.Config.ConfigVersion
$spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy
$spec.defaultPortConfig.ipfixEnabled.inherited = $false
$spec.defaultPortConfig.ipfixEnabled.value = $false

$PGView = Get-View -Id $PG.Id
$PGView.ReconfigureDVPortgroup_Task($spec)
}
}
}

See Also

https://workbench.cisecurity.org/benchmarks/8020

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, 800-53|SI-4(4), CSCv7|12.8

Plugin: VMware

Control ID: 255e2f414d82d698ee9a931357014aa8536947033561d91d65453623693e6702