Focus Network

When a focus network is specified via the Monitored Networks IP Addresses and Ranges configuration parameter, only one side of a session must match in the list. For example, if you have a DMZ that is part of the focus network list, Tenable Nessus Network Monitor reports on vulnerabilities of the web server there, but not on web clients visiting from outside the network. However, a browser within the DMZ visiting the same web server is reported.

In the diagram above, three sessions labeled A, B, and C are shown communicating to, from, and inside a focus network. In session A, Tenable Nessus Network Monitor analyzes only those vulnerabilities observed on the server inside the focus network and does not report client-side vulnerabilities. In session B, Tenable Nessus Network Monitor ignores vulnerabilities on the destination server, but reports client-side vulnerabilities. In session C, both client and server vulnerabilities are reported.

There is another filter that Tenable Nessus Network Monitor uses while looking for unique sessions. This is a dependency that requires the host to run a major service. These dependencies are defined by a list of Tenable Nessus Network Monitor plugin IDs that identify SSL, FTP, and several dozen other services.

Finally, the entire process of detecting these sessions can be filtered by specific network ranges and ports. For example, if a University ran a public FTP server that had thousands of downloads each hour, they may want to disable interactive sessions on port 21 on that FTP server. Similarly, disabling encryption detection on ports such as 22 and 443 also eliminates some noise for Tenable Nessus Network Monitor.