The BroadForward Security Edge Protection Proxy (BroadForward SEPP) enables secure interconnect between 5G networks. The SEPP ensures end-to-end confidentiality and/or integrity between source and destination network for all 5G interconnect roaming messages.
5G interconnect: achieving end-to-end confidentiality and integrity
The BroadForward SEPP enables operators to achieve end-to-end confidentiality and integrity between source and destination network for designated message elements. The 5G standards (e.g. 3GPP TS 23.501 and TS 23.502) stipulate that a SEPP is a mandatory function for MNO interconnect for roaming between standalone 5G cores.
Following the 3GPP 5G security specifications TS 33.501 and TS 29.573 the SEPP provides:
- A separate security negotiation interface (N32-c) and an end-to-end encrypted application interface
- Encapsulation of HTTP/2 core signaling messages using JOSE protection for N32-f transmission.
- Operator control of security per roaming partner (via a key library)
- Trusted intermediary IPX nodes to read and possibly modify specific IEs in the HTTP message, while completely protecting all sensitive information end to end
Whereas the 4G Diameter Edge Agent (DEA) provides hop by hop transport encryption using TLS at best, the SEPP adds end-to-end application level security. This greatly improves security in interconnect scenarios between (5G) networks and makes it impossible to read, alter or manipulate message content without prior agreement with the MNO as it traverses to other networks across multiple (external) hops. Operators (MNOs) control what JSON information elements are readable or non-readable (encrypted) and which elements can be manipulated in the intermediate IPX crossings. This control is provided using JSON Web Encryption (JWE), JSON Web Security (JWS) and the ability to specify which information elements can be modified by the IPXs. IPXs need a public key provided by the MNO’s to perform mediation for the agreed elements.
The BroadForward SEPP offers unique flexibility through an extensive, integrated set of routing and service creation capabilities. The BroadForward SEPP supports the relevant standards as well as HTTP/2 based signaling scenarios. The BroadForward SEPP is a single engine software product design – not an afterthought, project, or patchwork solution – enabling operators to achieve consolidation of network functions, operations, management and licenses:
- The BroadForward SEPP is a 100% software solution by design
- On-board session database key negotiation
- On-board non-volatile database for key repository/storage
- Flexible routing on any parameter (non-encrypted for IPX SEPP)
- Powerful (any-to-any) interworking across all supported protocols (including SS7, Diameter, RADIUS, HTTP, LDAP, ENUM, etc.)
- Single view, reporting, GUI based management, provisioning
- License mix across all supported protocols, not just HTTP/2
- Single IT integration (provisioning, lookups, reporting, number portability, etc.)
- Support for the N32-f and the N32-c interface
- Support for PRINS (PRotocol for N32 INterconnect Security, JWE/JWS) – please note there are ongoing standardization developments
- Support for transport layer security (TLS)
- Support security key management and lookup
- Supports message modification instruction inclusion via JSON PATCH method.
- Support for remote SEPP authorization/authentication
- Support for malformed N32 messages detection
- Support for anti-spoofing
- Support for topology hiding
- Support for load balancing
- Support for Egress/Ingress limitation
- Supporting high available and geo-redundant deployment models
- Full GUI based signaling orchestration and system management, configurable service logic, no need for scripting or development
- Optional (on-board) support for:
Combining network functions
The BroadForward SEPP runs on a unique single engine software design, allowing operators to combine multiple functions on the same platform. This provides many benefits, such as:
- Reduction of integration points, and on-board capability for interworking and interoperability
- Centralized and uniform IT integration, signaling management, configuration, provisioning, subscriber management, reporting and control
- Centralized and uniform use of common network applications (e.g. firewall, number portability, steering of roaming)
- Easy to operate, uniform operations across domains
- Single capacity license with free traffic mix across supported protocols
Hardware-agnostic solution, supporting Kubernetes, NFV
The BroadForward SEPP runs on any off-the-shelf hardware or in a virtualized environment. It is a 100% software based solution, hardware-agnostic and support virtualization and cloud deployment (VMware, KVM, Amazon, Azure etc.) as well as containerized application deployment (Docker, Kubernetes, OpenShift). The BroadForward SEPP does not rely on specialist hardware or proprietary operating systems. The ability to deploy the BroadForward SEPP on a common (shared) platform supports operators and vendors in migrating away from proprietary based appliance systems to a standards based, hardware agnostic, software only, infrastructure.