Security Edge Protection Proxy (SEPP)

The BroadForward Security Edge Protection Proxy (BroadForward SEPP) enables secure interconnect between 5G networks. The SEPP ensures end-to-end confidentiality and/or integrity between source and destination network for all 5G interconnect roaming messages.

BroadForward SEPP

The BroadForward SEPP is an industry leading software solution offering operators a cutting-edge 5G network function tailored for edge services, including interconnect routing. The BroadForward SEPP powered the world’s first 5G Standalone Roaming connection

The SEPP is built upon the BFX framework, a robust and award-winning signaling architecture boasting over a decade of demonstrated excellence in the 3G and 4G core network functions. By design it includes support for the BroadForward STP and DRA/DEA, and it ensures the BroadForward SEPP can guarantee a smooth migration to 5G. Operators familiar with the BFX software architecture will recognize the graphical user interface and innovative BFX features, such as conversion and list profiles, empowering operators to continue their operational excellence in the 5G landscape.


The BroadForward SEPP is delivered as a turnkey software solution and adheres to the latest security standards defined in the 3GPP specifications, incorporating TLS security up to version 1.3 and OAuth2 support for peer authentication. The BroadForward SEPP is a 100% software solution by design including support for:

  • NRF registration for SEPP
  • N32c interface support with TLS
  • N32f interface support with TLS
  • Dynamic peer discovery via DNS for remote SEPP service
  • NRF service discovery, subscription and notification
  • OAuth2 support for peer authentication
  • Certificate management (creation, upload/download, validity checking)
  • Flexible routing on any parameter (non-encrypted for IPX SEPP)
  • Support for Outsourced-SEPP and Hosted-SEPP (GSMA NG.113 multi-tenancy environment)
  • Support for transport layer security (TLS) up to version 1.3
  • Support for 5G firewalling according FS.36 (roadmap)
  • Support for load balancing
  • Support for Egress/Ingress limitation
  • Supporting high available and geo-redundant deployment models
  • Full GUI based signaling orchestration and system management, configurable service logic, no need for scripting or development
  • Optional (on-board) support for:

SEPP multitenancy for Hosted and Outsourced SEPP
With the BroadForward SEPP solution, a Hosted or Outsourced SEPP can be deployed as individual SEPP per tenant or in a multitenant setup. In the multitenant deployment model, one single BroadForward SEPP instance can provide SEPP functions for multiple tenants (MNO’s, MVNO’s or Enterprises). All inbound and outbound routes can be managed by each tenant individually via the onboard API which can be accessed by a customer portal provided by the hosting party. In this setup, the BroadForward SEPP message flows allow traffic separation based on tenant-ID. Event Detail Records (EDR) are split per tenant to provide tenant specific EDR files. The multitenant SEPP will maintain individual N32 connections for each tenant. It can be configured to allow direct N32 communication between tenants, reducing the overall capacity requirement.

Hardware-agnostic solution, supporting Kubernetes, NFV
The BroadForward SEPP runs on any off-the-shelf hardware or in a virtualized environment. It is a 100% software-based solution, hardware-agnostic and support virtualization and cloud deployment as well as containerized application deployment. The BroadForward SEPP does not rely on specialist hardware or proprietary operating systems. The ability to deploy the BroadForward SEPP on a common (shared) platform supports operators and vendors in migrating away from proprietary based appliance systems to a standards based, hardware agnostic, software only, infrastructure.

BroadForward Newsletter

Subscribe to our Newsletter to get regular product and industry updates