STIGQter STIGQter: STIG Summary: VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jan 2020: The vCenter Server for Windows must only send NetFlow traffic to authorized collectors.

DISA Rule

SV-104573r1_rule

Vulnerability Number

V-94743

Group Title

SRG-APP-000516

Rule Version

VCWN-65-000016

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To remove collector IPs do the following:
From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> NetFlow. Click edit and remove any unknown collector IPs.

or

From a PowerCLI command prompt while connected to the vCenter server run the following commands:
$dvs = Get-VDSwitch dvswitch | Get-View
ForEach($vs in $dvs){
$spec = New-Object VMware.Vim.VMwareDVSConfigSpec
$spec.configversion = $vs.Config.ConfigVersion
$spec.IpfixConfig = New-Object VMware.Vim.VMwareIpfixConfig
$spec.IpfixConfig.CollectorIpAddress = ""
$spec.IpfixConfig.CollectorPort = "0"
$spec.IpfixConfig.ActiveFlowTimeout = "60"
$spec.IpfixConfig.IdleFlowTimeout = "15"
$spec.IpfixConfig.SamplingRate = "0"
$spec.IpfixConfig.InternalFlowsOnly = $False
$vs.ReconfigureDvs_Task($spec)
}

Note: This will reset the NetFlow collector configuration back to the defaults.

To disable NetFlow on a distributed port group do the following:
From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and change NetFlow to disabled.

or

From a PowerCLI command prompt while connected to the vCenter server run the following commands:
$pgs = Get-VDPortgroup | Get-View
ForEach($pg in $pgs){
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $pg.Config.ConfigVersion
$spec.defaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.defaultPortConfig.ipfixEnabled = New-Object VMware.Vim.BoolPolicy
$spec.defaultPortConfig.ipfixEnabled.inherited = $false
$spec.defaultPortConfig.ipfixEnabled.value = $false
$pg.ReconfigureDVPortgroup_Task($spec)
}

Check Contents

To view NetFlow Collector IPs configured on distributed switches:
From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> NetFlow. View the NetFlow pane and verify any collector IP addresses are valid and in use for troubleshooting.

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:
Get-VDSwitch | select Name,@{N="NetFlowCollectorIPs";E={$_.ExtensionData.config.IpfixConfig.CollectorIpAddress}}
----
To view if NetFlow is enabled on any distributed port groups:
From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and view the NetFlow status.

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:
Get-VDPortgroup | Select Name,VirtualSwitch,@{N="NetFlowEnabled";E={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}}

If NetFlow is configured and the collector IP is not known and is not enabled temporarily for troubleshooting purposes, this is a finding.

Vulnerability Number

V-94743

Documentable

False

Rule Version

VCWN-65-000016

Severity Override Guidance

To view NetFlow Collector IPs configured on distributed switches:
From the vSphere Web Client go to Networking >> Select a distributed switch >> Configure >> Settings >> NetFlow. View the NetFlow pane and verify any collector IP addresses are valid and in use for troubleshooting.

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:
Get-VDSwitch | select Name,@{N="NetFlowCollectorIPs";E={$_.ExtensionData.config.IpfixConfig.CollectorIpAddress}}
----
To view if NetFlow is enabled on any distributed port groups:
From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Go to Monitoring and view the NetFlow status.

or

From a PowerCLI command prompt while connected to the vCenter server run the following command:
Get-VDPortgroup | Select Name,VirtualSwitch,@{N="NetFlowEnabled";E={$_.Extensiondata.Config.defaultPortConfig.ipfixEnabled.Value}}

If NetFlow is configured and the collector IP is not known and is not enabled temporarily for troubleshooting purposes, this is a finding.

Check Content Reference

M

Target Key

3487

Comments