Details
Confirm that dvfilter API is not configured if not is use. If you are using virtual security appliances that leverage this API then configuration may be necessary.
*Rationale*
If you are not using products that make use of the dvfilter network API (e.g. VMSafe), the
host should not be configured to send network information to a VM. If the API is enabled,
an attacker might attempt to connect a VM to it, thereby potentially providing access to the
network of other VMs on the host. If you are using a product that makes use of this API then
verify that the host has been configured correctly.
Solution
To implement the recommended configuration state, run the following PowerCLI
command-# Set Net.DVFilterBindIpAddress to null on all hosts
Get-VMHost HOST1 | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name Net.DVFilterBindIpAddress -Value ” }
Impact-This will prevent a dvfilter-based network security appliance such as a firewall from
functioning if not configured correctly.
Default Value-The prescribed state is the default state.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system VMware.