It is difficult to protect moving targets, but subscribers on 4G and LTE networks must be confident that their data is secured beyond simply being part of a fast, high-volume traffic stream. A major concern in LTE architectures is that the link between the cell site and the core network is not inherently secure.
Historically, operators did not have to prioritize backhaul security.
2G and 3G systems used TDM and ATM backhaul, which were relatively resilient to external attacks. In addition, 3rd Generation Partnership Project (3GPP) based 2G and 3G services include built-in encryption from the subscriber’s handset to the radio network controller. In LTE networks, however, while traffic may be encrypted over the air interface from the device to the eNodeB (eNB), the backhaul from the eNB to the IP core often remains unencrypted. This leaves both the traffic and the backhaul network vulnerable to interception and manipulation.
This vulnerability is amplified by the rapid, widespread rollout of microcell base stations intended to add capacity in public locations such as shopping centres and shared office spaces. Industry analysts expected the global number of cellular sites to rise substantially, driven largely by micro and small cells deployed to deliver extra bandwidth at lower cost. Many of these new sites are placed in publicly accessible or lightly secured locations, creating increased exposure.
Why microcell security matters
Small base stations installed in public areas usually have far less physical protection than traditional macro sites. That lack of physical security makes them attractive targets for malicious actors who might tamper with the equipment to probe an operator’s all-IP LTE environment, look for vulnerabilities, and then attempt to infiltrate other network nodes or launch attacks against the mobile core. Potential consequences include unauthorized access to end-user data, denial-of-service attacks against mobile services, and other disruptions.
At the same time, operators face growing pressure—both from competitors and from customers—to demonstrate robust protections for subscriber data. Assurances that mobile traffic is protected from interception and theft are increasingly important for retaining and attracting users.
Consequently, the backhaul link from the eNB to the mobile core and Mobility Management Entity (MME) must be secured to protect unencrypted traffic and safeguard the operator’s core network. This is particularly critical when backhaul services are provided by third parties, shared between operators, or carried over the public Internet—common choices for mobile network operators seeking the lowest total cost of deployment and ownership. While these shared or third-party backhaul options reduce cost, they also reduce the inherent trustworthiness of the network. So how should operators protect backhaul infrastructure to maintain subscriber trust and protect data and revenue?
IPsec tunnels: the recommended approach
To reduce the risk of attacks on backhaul networks and to protect the S1 interface between the eNB and the mobile core, 3GPP recommends using IPsec for authentication and encryption of IP traffic, together with firewalling at the eNB and within the operator’s core. The 3GPP model envisions IPsec tunnels initiated at the cell site to carry both bearer and signalling traffic across the backhaul and to be terminated and decrypted in the core by a security gateway. IPsec is already widely used in femtocell, IWLAN (TTG) and UMA/GAN deployments, and many infrastructure vendors support IPsec tunnels in their eNB offerings.
Despite being the standard recommendation, IPsec deployments raise common concerns for operators: market position and customer expectations; the cost and complexity of rollout; and potential impacts on network performance.
Operators must ensure that their IPsec deployments scale effectively and deliver high availability to meet the expected growth in LTE traffic and bandwidth demands. That requires security solutions that provide carrier-grade throughput, comply with current 3GPP security standards, and remain flexible enough to evolve with the operator’s needs. At the same time, the solution should be cost-efficient to limit the impact on capital and operational budgets.
Designing scalable backhaul security
A practical way to address these concerns is to implement IPsec on commercial off-the-shelf (COTS) platforms running within virtualized hypervisors. Virtualized security avoids the need to backhaul traffic to a central aggregation point or to deploy additional hardware appliances, simplifying deployment and management while enabling rapid scaling. Virtualization also offers the elasticity operators need to support future growth.
From a performance perspective, the security solution should support both single and multiple IPsec tunnels from eNBs to the core, enabling flexible quality-of-service (QoS) optimisation based on tunnel IDs or service types while keeping the security layer transparent to subscribers. This capability allows operators to provision dedicated IPsec tunnels for distinct customer groups—such as public safety agencies—thereby segregating sensitive traffic flows.
By deploying a flexible security platform that delivers advanced IPsec functionality and supports additional security applications, operators can protect subscriber data and the mobile core from interception and attacks while retaining straightforward operational control. That protection helps preserve subscriber trust, maintain customer loyalty, and protect revenue streams.
Clavister offers a range of backhaul security solutions designed for these scenarios.