Details
The vSphere VDS can export Netflow information about traffic crossing the VDS. These exports are not encrypted and can contain information about the virtual network making it easier for a Man in the Middle attack to be executed successfully.
Rationale:
If Netflow export is required, verify that all VDS Netflow target systems are approved collectors by confirming the IP’s are set correctly.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Using the vSphere Web Client
For each distributed switch
Go to ‘Configure’ -> ‘Settings’ -> ‘NetFlow’.
Click ‘Edit’
Set the ‘Collector IP address’ and ‘Collector port’ to the organization approved systems.
Additionally, the following PowerCLI command may be used
‘# Disable Netfow for a VDPortgroup
$DPortgroup =
Get-VDPortgroup $DPortGroup | Disable-PGNetflow
#Function for Disable-PGNetflow
#From: http://www.virtu-al.net/2013/07/23/disabling-netflow-with-powercli/
Function Disable-PGNetflow {
[CmdletBinding()]
Param (
[Parameter(ValueFromPipeline=$true)]
$DVPG
)
Process {
Foreach ($PG in $DVPG) {
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $PG.Extensiondata.Config.ConfigVersion
$spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy
$spec.defaultPortConfig.ipfixEnabled.inherited = $false
$spec.defaultPortConfig.ipfixEnabled.value = $false
$PGView = Get-View -Id $PG.Id
$PGView.ReconfigureDVPortgroup_Task($spec)
}
}
}
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system VMware.