When a focus network is specified via the
networks keyword, only one side of a session must match on the list. For example, if you have a DMZ that is part of the focus network list, Industrial Security reports on vulnerabilities of the web server there, but not on web clients visiting from outside the network. However, a web browser within the DMZ visiting the same web server is reported.
In the diagram above, three sessions labeled A, B, and C are shown communicating to, from, and inside a focus network. In session A, Industrial Security analyzes only those vulnerabilities observed on the server inside the focus network and does not report client side vulnerabilities. In session B, Industrial Security ignores vulnerabilities on the destination server, but reports client side vulnerabilities. In session C, both client and server vulnerabilities are reported.
There is another filter that Industrial Security uses while looking for unique sessions. This is a dependency that requires the host to run a major service. These dependencies are defined by a list of Industrial Security plugin IDs that identify SSL, FTP, and several dozen other services.
Finally, the entire process of detecting these sessions can be filtered by specific network ranges and ports. For example, if a University ran a public FTP server that had thousands of downloads each hour, they may want to disable interactive sessions on port 21 on that FTP server. Similarly, disabling encryption detection on ports such as 22 and 443 also eliminates some noise for Industrial Security.