Skip to content Skip to navigation Skip to footer

Protecting Backhaul for 4G/5G Radio Access Network

Securing 4G's S1/X2 and 5G's N2/N3/Xn Interfaces

Radio Access Networks (RANs) to Evolved Packet Core (EPC) and 5G-NGC Security Challenges

The "flat" packet-based architectures of 4G and upcoming 5G have potentially increased the mobile infrastructure’s exposure to cyber attacks with end-to-end IP core infrastructure. The elimination of the radio network controller (RNC) has resulted in a direct and unprotected signaling of user plane paths between RANs and the EPC in 4G/4.5G and between NG-RANs and 5G-NGC. In 4G/4.5G, this may result in Stream Control Transmission Protocol (SCTP)-based attacks to manipulate mobile management entity (MME) functions and/or GPRS Tunneling Protocol (GTP)-based attacks to manipulate serving gateway (sGW) functions.

In 5G for example, this can result in access management function (AMF), session management function (SMF), and user plane function (UPF) manipulation. Similar types of attacks can be carried out on both X2/Xn control and data planes, resulting in possible service denial and rogue RANs. The 3rd Generation Partnership Project (3GPP) recommends the use of security gateways (SecGWs) to handle IPsec tunnels between RANs and EPC/5G-NGC for the communication of S1/X2 and N2/N3/Xn traffic.



FortiGate Secure Gateway Implementation For 4G S1/X2 and 5G N2/N3/XN Interfaces

Implemented as a VNF or as a physical appliance (PNF), FortiGate enables a complete set of SecGW functionalities targeting possible attacks and manipulation of 4G and 5G RANs to EPC/NGC interfaces (S1/X2 and N2/N3) including:

  1. High-performance stateful firewalling and content inspection
  2. SCTP and GTP firewall
  3. Quality of service (QoS) support, including traffic rate limiting and queuing
  4. DoS protection
  5. High-performance IPsec VPN concentrator
  6. RANs to EPC/NGC authentication support
  7. ESP and IKEv2 support
  8. SCTP multi-homing support

FortiGates for this use case can be implemented only at the network edge or in a more distributed SecGW architecture at the RAN level to ensure both security and low latency X2/Xn traffic.


FortiGate deployment on physical or virtual networks

Physical Appliance (PNF) or Virtual Network Function (VNF)

FortiGate SecGW can be implemented as a PNF with high availability (HA) and the highest proven scalability. Fortinet’s custom security processors provide hardware acceleration to meet today and tomorrow’s traffic and session volume with minimum latency and no compromise on the depth and range of the delivered security services.

The same capabilities are provided by FortiGate virtual machines (VMs) acting as VNFs, with the industry’s smallest footprint and fastest boot time, providing a unique consolidated security NGFW & UTM VNF for 4G/4.5G and 5G environments. Dynamic and massive auto scaling is achieved via proven integration with software-defined networking (SDN) and European Telecommunications Standards Institute (ETSI) NFV management and orchestration (MANO)  platforms such as Amdocs, Ciena’s Blue Planet, HPE, Ericsson, Nokia, Cisco, more.

SDN integration via Fortinet SDN Connectors

SDN Integration

Fortinet technology and Fabric-Ready Partner programs ensure SDN integration via Fortinet SDN Connectors and Fortinet APIs (available via the Fortinet Developer Network). These include integration with Nuage Networks, Cisco ACI, and VMware NSX.