Information
The vSphere VDS can export Netflow information about traffic crossing the VDS. These exports are not encrypted and can contain information about the virtual network making it easier for a Man in the Middle attack to be executed successfully.
NOTE: This is only valid if utilizing VMware vCenter
If Netflow export is required, verify that all VDS Netflow target systems are approved collectors by confirming the IP's are set correctly.
NOTE: This is only valid if utilizing VMware vCenter
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Using the vSphere Web Client
- Go to the Networking section of vCenter
- After selecting each individual switch you will need to perform the following.
- Go to Configure then expand Settings
- Click on Netflow
- Click on Edit
- Enter the Collector IP address and Collector port as required.
- Click OK
Additionally, the following PowerCLI command may be used
"# Disable Netfow for a VDPortgroup$DPortgroup = <name of portgroup>Get-VDPortgroup $DPortGroup | Disable-PGNetflow#Function for Disable-PGNetflow#From: http://www.virtu-al.net/2013/07/23/disabling-netflow-with-powercli/Function Disable-PGNetflow { [CmdletBinding()] Param ( [Parameter(ValueFromPipeline=$true)] $DVPG ) Process { Foreach ($PG in $DVPG) { $spec = New-Object VMware.Vim.DVPortgroupConfigSpec $spec.configversion = $PG.Extensiondata.Config.ConfigVersion $spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy $spec.defaultPortConfig.ipfixEnabled.inherited = $false $spec.defaultPortConfig.ipfixEnabled.value = $false $PGView = Get-View -Id $PG.Id $PGView.ReconfigureDVPortgroup_Task($spec) } }}