VCSA-70-000271 - The vCenter Server must only send NetFlow traffic to authorized collectors.

Information

The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network, making it easier for a man-in-the-middle attack to be executed successfully. If NetFlow export is required, verify that all NetFlow target Internet Protocols (IPs) are correct.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remove collector IPs, do the following:

From the vSphere Client, go to 'Networking'.

Select a distributed switch >> Configure >> Settings >> NetFlow.

Click 'Edit'.

Remove any unknown collector IPs.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$dvs = Get-VDSwitch dvswitch | Get-View
ForEach($vs in $dvs){
$spec = New-Object VMware.Vim.VMwareDVSConfigSpec
$spec.configversion = $vs.Config.ConfigVersion
$spec.IpfixConfig = New-Object VMware.Vim.VMwareIpfixConfig
$spec.IpfixConfig.CollectorIpAddress = ''
$spec.IpfixConfig.CollectorPort = '0'
$spec.IpfixConfig.ActiveFlowTimeout = '60'
$spec.IpfixConfig.IdleFlowTimeout = '15'
$spec.IpfixConfig.SamplingRate = '0'
$spec.IpfixConfig.InternalFlowsOnly = $False
$vs.ReconfigureDvs_Task($spec)
}

Note: This will reset the NetFlow collector configuration back to the defaults.

To disable NetFlow on a distributed port group, do the following:

From the vSphere Client, go to Networking.

Select a distributed port group >> Configure >> Settings >> Policies.

Click 'Edit'.

Click the 'Monitoring' tab.

Change 'NetFlow' to 'Disabled'.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$pgs = Get-VDPortgroup | Get-View
ForEach($pg in $pgs){
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $pg.Config.ConfigVersion
$spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy
$spec.defaultPortConfig.ipfixEnabled.inherited = $false
$spec.defaultPortConfig.ipfixEnabled.value = $false
$pg.ReconfigureDVPortgroup_Task($spec)
}

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-256351r885664_rule, STIG-ID|VCSA-70-000271, Vuln-ID|V-256351

Plugin: VMware

Control ID: 027adb73c120d2256fb11c20a8d2102f69670365a3125eb4344c302b4f711b4b