The vCenter Server must only send NetFlow traffic to authorized collectors.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-243085	VCTR-67-000016	SV-243085r719498_rule		Medium

Description
The distributed virtual switch can export NetFlow information about traffic crossing the switch. NetFlow exports are not encrypted and can contain information about the virtual network, making it easier for a MitM attack to be executed successfully. If NetFlow export is required, verify that all NetFlow target IPs are correct.

STIG	Date
VMware vSphere 6.7 vCenter Security Technical Implementation Guide	2021-04-16

Details

Check Text ( C-46360r719496_chk )
To view NetFlow Collector IPs configured on distributed switches: From the vSphere Client, go to Networking >> select a distributed switch >> Configure >> Settings >> NetFlow. View the NetFlow pane and verify that any collector IP addresses are valid and in use for troubleshooting. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDSwitch \| select Name,@{N="NetFlowCollectorIPs";E={$_.ExtensionData.config.IpfixConfig.CollectorIpAddress}} To view if NetFlow is enabled on any distributed port groups: From the vSphere Client, go to Networking >> select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and view the NetFlow status. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDPortgroup \| select Name,VirtualSwitch,@{N="NetFlowEnabled";E={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}} If NetFlow is configured and the collector IP is not known and documented, this is a finding.

Check Text ( C-46360r719496_chk )

To view NetFlow Collector IPs configured on distributed switches:

From the vSphere Client, go to Networking >> select a distributed switch >> Configure >> Settings >> NetFlow.

View the NetFlow pane and verify that any collector IP addresses are valid and in use for troubleshooting.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-VDSwitch | select Name,@{N="NetFlowCollectorIPs";E={$_.ExtensionData.config.IpfixConfig.CollectorIpAddress}}

To view if NetFlow is enabled on any distributed port groups:

From the vSphere Client, go to Networking >> select a distributed port group >> Manage >> Settings >> Policies.

Go to Monitoring and view the NetFlow status.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-VDPortgroup | select Name,VirtualSwitch,@{N="NetFlowEnabled";E={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}}

If NetFlow is configured and the collector IP is not known and documented, this is a finding.

Fix Text (F-46317r719497_fix)
To remove collector IPs: From the vSphere Client, go to Networking >> select a distributed switch >> Configure >> Settings >> NetFlow. Click "Edit" and remove any unknown collector IPs. or From a PowerCLI command prompt while connected to the vCenter server, run the following commands: $dvs = Get-VDSwitch dvswitch \| Get-View ForEach($vs in $dvs){ $spec = New-Object VMware.Vim.VMwareDVSConfigSpec $spec.configversion = $vs.Config.ConfigVersion $spec.IpfixConfig = New-Object VMware.Vim.VMwareIpfixConfig $spec.IpfixConfig.CollectorIpAddress = "" $spec.IpfixConfig.CollectorPort = "0" $spec.IpfixConfig.ActiveFlowTimeout = "60" $spec.IpfixConfig.IdleFlowTimeout = "15" $spec.IpfixConfig.SamplingRate = "0" $spec.IpfixConfig.InternalFlowsOnly = $False $vs.ReconfigureDvs_Task($spec) } Note: This will reset the NetFlow collector configuration back to the defaults. To disable NetFlow on a distributed port group: From the vSphere Client, go to Networking >> select a distributed port group >> Manage >> Settings >> Policies. Go to "Monitoring" and change "NetFlow" to disabled. or From a PowerCLI command prompt while connected to the vCenter server, run the following commands: $pgs = Get-VDPortgroup \| Get-View ForEach($pg in $pgs){ $spec = New-Object VMware.Vim.DVPortgroupConfigSpec $spec.configversion = $pg.Config.ConfigVersion $spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy $spec.defaultPortConfig.ipfixEnabled.inherited = $false $spec.defaultPortConfig.ipfixEnabled.value = $false $pg.ReconfigureDVPortgroup_Task($spec) }

Fix Text (F-46317r719497_fix)

To remove collector IPs:

From the vSphere Client, go to Networking >> select a distributed switch >> Configure >> Settings >> NetFlow.

Click "Edit" and remove any unknown collector IPs.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$dvs = Get-VDSwitch dvswitch | Get-View
ForEach($vs in $dvs){
$spec = New-Object VMware.Vim.VMwareDVSConfigSpec
$spec.configversion = $vs.Config.ConfigVersion
$spec.IpfixConfig = New-Object VMware.Vim.VMwareIpfixConfig
$spec.IpfixConfig.CollectorIpAddress = ""
$spec.IpfixConfig.CollectorPort = "0"
$spec.IpfixConfig.ActiveFlowTimeout = "60"
$spec.IpfixConfig.IdleFlowTimeout = "15"
$spec.IpfixConfig.SamplingRate = "0"
$spec.IpfixConfig.InternalFlowsOnly = $False
$vs.ReconfigureDvs_Task($spec)
}

Note: This will reset the NetFlow collector configuration back to the defaults.

To disable NetFlow on a distributed port group:

From the vSphere Client, go to Networking >> select a distributed port group >> Manage >> Settings >> Policies.

Go to "Monitoring" and change "NetFlow" to disabled.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following commands:

$pgs = Get-VDPortgroup | Get-View
ForEach($pg in $pgs){
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $pg.Config.ConfigVersion
$spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy
$spec.defaultPortConfig.ipfixEnabled.inherited = $false
$spec.defaultPortConfig.ipfixEnabled.value = $false
$pg.ReconfigureDVPortgroup_Task($spec)
}