1. Home
  2. Security Hardening
  3. DISA STIG VMware vSphere VCenter 6.5 V2R2
  4. VCWN-65-000016 – The vCenter Server for Windows must only send NetFlow traffic to authorized collectors.
Searching...

VCWN-65-000016 – The vCenter Server for Windows must only send NetFlow traffic to authorized collectors.

Details

The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network making it easier for a MitM attack to be executed successfully. If NetFlow export is required, verify that all NetFlow target IP’s are correct.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remove collector IPs do the following:
From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> NetFlow. Click edit and remove any unknown collector IPs.

or

From a PowerCLI command prompt while connected to the vCenter server run the following commands:
$dvs = Get-VDSwitch dvswitch | Get-View
ForEach($vs in $dvs){
$spec = New-Object VMware.Vim.VMwareDVSConfigSpec
$spec.configversion = $vs.Config.ConfigVersion
$spec.IpfixConfig = New-Object VMware.Vim.VMwareIpfixConfig
$spec.IpfixConfig.CollectorIpAddress = ”
$spec.IpfixConfig.CollectorPort = ‘0’
$spec.IpfixConfig.ActiveFlowTimeout = ’60’
$spec.IpfixConfig.IdleFlowTimeout = ’15’
$spec.IpfixConfig.SamplingRate = ‘0’
$spec.IpfixConfig.InternalFlowsOnly = $False
$vs.ReconfigureDvs_Task($spec)
}

Note: This will reset the NetFlow collector configuration back to the defaults.

To disable NetFlow on a distributed port group do the following:
From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and change NetFlow to disabled.

or

From a PowerCLI command prompt while connected to the vCenter server run the following commands:
$pgs = Get-VDPortgroup | Get-View
ForEach($pg in $pgs){
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $pg.Config.ConfigVersion
$spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy
$spec.defaultPortConfig.ipfixEnabled.inherited = $false
$spec.defaultPortConfig.ipfixEnabled.value = $false
$pg.ReconfigureDVPortgroup_Task($spec)
}

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system VMware.

References

Source

Updated on July 16, 2022
Was this article helpful?
Yes No

Related Articles