Information
The dvFilter interface facilitates network traffic filtering and inspection, predominantly via tools like NSX. It's vital to allow only authorized tools to access this interface to uphold network security. Unauthorized access could lead to illicit network traffic inspection or misuse. The parameter governing this behavior is ethernet*.filter*.name with a recommended setting of Not Present.
Limiting access through the "dvfilter" network API to authorized tools is essential for preserving network integrity and security. This restriction curtails the risk of unauthorized data inspection and potential network vulnerabilities.
Solution
To set this configuration utilize the vSphere interface as follows:
- Select the VM then select Actions followed by Edit Settings
- Click on the VM Options tab then expand Advanced
- Click on EDIT CONFIGURATION
- Remove the value from ethernet0.filter1.name = dv-filter
- Parameters are removed when no value is present
<xhtml:ol start="5"> - Click OK
You may also configure a VM to allow dvfilter access via the following method in the VMX file:
- Configure the following in the VMX file: ethernet0.filter1.name = dv-filter1 where ethernet0 is the network adapter interface of the virtual machine that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the VM.
- If dvfilter access should not be permitted: Remove the following from its VMX file: ethernet0.filter1.name = dv-filter1
<xhtml:ol start="2"> - Set the name of the data path kernel correctly.
Impact:
While enhancing security by restricting access to the dvFilter interface, this control may hinder the functionality of legitimate network tools like NSX, which necessitate access to the "dvfilter" network API for proper operation.
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|9.2, CSCv7|12.4
Control ID: 1ede29f3f44ed821b1f800dfda593ef0fb7fb45e250762d1e8ecbc0b33ebbb88