The vCenter Server must only send NetFlow traffic to authorized collectors.

An XCCDF Rule

Description

The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network, making it easier for a man-in-the-middle attack to be executed successfully. If NetFlow export is required, verify that all NetFlow target Internet Protocols (IPs) are correct.

ID: SV-256351r885664_rule
Version: VCSA-70-000271
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

To remove collector IPs, do the following:

From the vSphere Client, go to "Networking".

Select a distributed switch >> Configure >> Settings >> NetFlow.
Click "Edit".

Remove any unknown collector IPs.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$dvs = Get-VDSwitch dvswitch | Get-View
ForEach($vs in $dvs){
$spec = New-Object VMware.Vim.VMwareDVSConfigSpec
$spec.configversion = $vs.Config.ConfigVersion
$spec.IpfixConfig = New-Object VMware.Vim.VMwareIpfixConfig
$spec.IpfixConfig.CollectorIpAddress = ""
$spec.IpfixConfig.CollectorPort = "0"
$spec.IpfixConfig.ActiveFlowTimeout = "60"
$spec.IpfixConfig.IdleFlowTimeout = "15"
$spec.IpfixConfig.SamplingRate = "0"
$spec.IpfixConfig.InternalFlowsOnly = $False
$vs.ReconfigureDvs_Task($spec)
}

Note: This will reset the NetFlow collector configuration back to the defaults.

To disable NetFlow on a distributed port group, do the following:

From the vSphere Client, go to Networking.

Select a distributed port group >> Configure >> Settings >> Policies.

Click "Edit".

Click the "Monitoring" tab.

Change "NetFlow" to "Disabled".

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$pgs = Get-VDPortgroup | Get-View
ForEach($pg in $pgs){
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $pg.Config.ConfigVersion
$spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy
$spec.defaultPortConfig.ipfixEnabled.inherited = $false
$spec.defaultPortConfig.ipfixEnabled.value = $false
$pg.ReconfigureDVPortgroup_Task($spec)
}

The vCenter Server must only send NetFlow traffic to authorized collectors.

Description

Remediation Templates

A Manual Procedure