Python is a word of many meanings. For some, the word may evoke thoughts of snakes or Monty Python. However, in networking, Python refers to a common programming language.
Organizations use the Python language for scripting advanced tasks, such as fortifying a network against breaches or other security incidents. Python fluency has become an increasingly popular skill for network engineers because Python skills can benefit network security, as well as network traffic analysis and the development of monitoring tools, said José Manuel Ortega, a security researcher and author.
Ortega's book Mastering Python for Networking and Security, which is available now from publisher Packt, delves into best practices for network security and network traffic analysis with Python scripting.
Editor's note: The following interview was edited for length and clarity.
How has network traffic analysis changed over the years?
José Manuel Ortega: Most networks use broadcasting technology, which means each packet that a device transmits over the network can be read by any other device connected to the network. Through network traffic analysis, we can intercept packets exchanged between two hosts and know details of systems that intervene in the communication.
At this point, it is important to know how protocols work and how packet information transmits at different layers. In addition, new protocols, such as NetFlow, developed by Cisco, have emerged and become standard for the implementation of IP traffic flow analysis.
What common traffic and security issues can Python address?
Ortega: The most attractive benefit of Python is it can create networking tools. We could implement our own port scanner and traceroute commands with the Scapy Python module. This module [enables engineers to] create and modify various types of network packets, implement functions to capture and sniff packets, and execute actions on these packets.
Also, we could automate the analysis of PCAP (Packet Capture) files that contain results of sniffing network traffic with network traffic analysis tools, such as Wireshark, TCPdump and Ettercap. All these tools perfectly complement Python and provide a more complete service at a graphical level.
We could use Python for network forensic tasks -- for example, to detect SQL injection attacks or extract FTP credentials from a server. With the Scapy Python module, we could analyze networks packets and detect whether an attacker performs a SQL injection in a web application. We could listen in real time to traffic the application generates, and we could identify when, where and how the attacker performs the SQL injection.
How can network engineers merge Python traffic analysis with existing network security and network traffic analysis?
Ortega: When we analyze network traffic with tools such as Wireshark, TCPdump and Ettercap, we have the option to export data analysis to PCAP files. The network engineer could use Python to automate file analysis, create sniffer functions that count packets for specific protocols or detect anomalous traffic using Python modules with machine learning models, like Scikit-learn. With machine learning techniques, we could identify network security threats in real time using anomaly detection.
In 2019, professionals with experience in this field are in demand because Python is a popular language among big technology companies. Within the scope of Python security, it is the most used language to develop tools, from penetration tests to vulnerability analysis and exploitation. Tools used worldwide dedicated to cybersecurity, such as SQLmap, are developed in this language.
Network security analysis usually focuses on securing network infrastructure. From that point of view, we can use Python to develop most tasks related to security automation, risk classification and vulnerability identification. We could use cybersecurity skills to complement network security analysis, so professionals who need to deepen network security have the most important knowledge of risk management and identification of vulnerabilities in changing environments.
How have best practices for network traffic analysis changed over time?
Ortega: Best practices for network traffic analysis often relate to working with and understanding how to use a traffic analysis tool, such as Wireshark or TCPdump. It is important to know the filters these tools offer to export data to other formats, and in general, all those functionalities explore packages quickly. For example, Wireshark has a tool called Tshark that can parse PCAP files without opening them directly, so you can process big data captures.
These tools have evolved in recent years as others emerged, such as Nagios and Zabbix. These tools are more oriented to monitoring network services -- such as SMTP [Simple Mail Transfer Protocol], POP3 [Post Office Protocol 3], HTTP and SNMP [Simple Network Management Protocol] -- and monitoring resources of hardware systems, including processor load, disk usage, memory and port status.
Python is one of the preferred languages for network programming. Its easy syntax and number of predetermined modules as third parties make it one of the first options when IT teams want to develop a project related to network programming. We have modules for working with sockets at low levels and network requests that create scripts that enable us to perform a port scanner or test a third-party API to get information from a specific service.