The vCenter Server must only send NetFlow traffic to authorized collectors.

An XCCDF Rule

Description

<VulnDiscussion>The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network, making it easier for a man-in-the-middle attack to be executed successfully. If NetFlow export is required, verify that all NetFlow target Internet Protocols (IPs) are correct.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-258938r961863_rule
Severity: Medium
References: CCI-000366
Updated: 17 days ago

To remove collector IPs, do the following:

From the vSphere Client, go to "Networking".

Select a distributed switch >> Configure >> Settings >> NetFlow.
Click "Edit".

Remove any unknown collector IPs.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$dvs = Get-VDSwitch dvswitch | Get-View
ForEach($vs in $dvs){
$spec = New-Object VMware.Vim.VMwareDVSConfigSpec
$spec.configversion = $vs.Config.ConfigVersion
$spec.IpfixConfig = New-Object VMware.Vim.VMwareIpfixConfig
$spec.IpfixConfig.CollectorIpAddress = ""
$spec.IpfixConfig.CollectorPort = "0"
$spec.IpfixConfig.ActiveFlowTimeout = "60"
$spec.IpfixConfig.IdleFlowTimeout = "15"
$spec.IpfixConfig.SamplingRate = "0"
$spec.IpfixConfig.InternalFlowsOnly = $False
$vs.ReconfigureDvs_Task($spec)
}

Note: This will reset the NetFlow collector configuration back to the defaults.

To disable NetFlow on a distributed port group, do the following:

From the vSphere Client, go to "Networking".

Select a distributed port group >> Configure >> Settings >> Policies.

Click "Edit".

Click the "Monitoring" tab.

Change "NetFlow" to "Disabled".

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$pgs = Get-VDPortgroup | Get-View
ForEach($pg in $pgs){
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $pg.Config.ConfigVersion
$spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy
$spec.defaultPortConfig.ipfixEnabled.inherited = $false
$spec.defaultPortConfig.ipfixEnabled.value = $false
$pg.ReconfigureDVPortgroup_Task($spec)
}

The vCenter Server must only send NetFlow traffic to authorized collectors.

Description

Remediation - Manual Procedure