5G Security

5G has introduced a number of improvements in security compared to 4G. 5G standards development has adopted ‘Secure by Design’ principles, using for example Mutual Authentication and acknowledging that all links could be tapped, but making sure that the encrypted information is worthless when intercepted.

Security is a wide topic and has different angles to it, for example, ITU-T has defined eight security dimensions shown in the table below. While these are important factors, this blog focuses more on the 5G network security measures and attempts to bring how to utilize data regardless of regulation and tight security in the summary section.




Download Whitepaper
Security Dimension Description
Access control Protects against unauthorized use of network resources
Authentication Confirms identities and ensures validity of claimed identities
Non-repudiation Means for associating actions with entities
Data confidentiality Data protection from unauthorized disclosure
Communication security Information flow only allowed between authorized end points
Data integrity Correctness and accuracy of data
Availability No denial of authorized access to network resources or data
Privacy Protection of information that might be derived from the observation of network activities

The importance of security is increasing continuously as we become more and more dependent on digital services. The number of connections is increasing exponentially with M2M and IoT. Therefore, aspects such as trusted ID, trusted SW, secure configuration, trustworthy data, protected communication, privacy and physical security are gaining more relevance not only in IoT communication, but in telecommunications in general.

Subscriber and Device Protection

5G has several enhancements in subscriber security:

  • Protects the confidentiality of the initial non-access stratum (NAS) messages between the device and the network. It is no longer possible to trace user equipment (UE) using current attack methodologies over the radio interface, protecting against man in the middle (MITM) and fake base station (Stingray/IMSI catcher) attacks.
  • Home control – a mechanism that requires the home network to check the authentication status of the device in the visited network preventing various roaming fraud types.
  • Unified authentication, for example, for WLAN, allowing 5G networks to manage previously unmanaged and unsecured connections.
  • User plane integrity checking, ensuring the user traffic is not modified during transit.
  • Enhanced privacy protection with the use of public/private key pairs to conceal the subscriber’s identity.

UE keys are stored in the Universal Subscriber Identity Module (USIM) and the home environment to enable network access security. There are two trust domains, tamper proof universal integrated circuit card on which the USIM resides as a trust anchor and the Mobile Equipment.

Subscription Permanent Identifier (SUPI), equivalent to IMSI in 4G, is encrypted and available as SUCI, Subscriber Concealed Identifier. Naturally, the air interface between UE and gNB is encrypted.

Network protection



RAN is separated into Distributed Units (DU) and Central Units (CU). DU doesn’t have any access to customer communications. IPSec is typically used for the connection from gNB to backhaul.

On the core side AMF serves as a termination point for NAS security. AMF is co-located with Security Anchor Function (SEAF) that holds the root key for the visited network. Authentication Credential Repository and Processing Function (ARPF) is co-located with UDM and stores long-term security credentials.

5G also introduces a new network architecture element: the Security Edge Protection Proxy (SEPP). The SEPP protects the home network edge, acting as the security gateway on interconnections between the home network and visited networks. Its main functionality includes:

  • Application layer security and protection against eavesdropping and replay attacks
  • End-to-end authentication, integrity and confidentiality protection via signatures and encryption of all HTTP/2 roaming messages
  • Key management mechanisms for setting the required cryptographic keys and performing the security capability negotiation procedures
  • Message filtering and policing, topology hiding and validation of JSON objects, including cross-layer information checking with address information on the IP layer
  • Enhanced security of the international roaming services to overcome the existing security risks linked to SS7 and Diameter usage.

5GC security



5GC introduces a new set of protocols and processes to secure the core functions. These include:

  • HTTP/2 communication between cloud native functions (CNF) in the core
  • TLS providing encrypted communication between all CNF
  • HTTP/2 over N32, replacing Diameter over the S6a reference point
  • More secure cipher suites

Network domains and security

Telecom networks are often divided into four distinctive parts: Access and core network, transport and interconnect network that connects different core networks with each other.

It is clear that 5G has increased security in many ways compared to previous telecom generations. New features such as network slicing and 5GC bring new ways of having a safe network, but they also carry potential dangers. Kubernetes and container security require new thinking in security management, for example, secure container lifecycle management is a must.

CSPs and security

CSPs are definitely facing a huge challenge with all the security technologies and threats. It is one thing to secure the network properly, but at the same time, the CSP’s existence and success depends on how well subscribers are served. Understanding subscriber behaviour is even more important than before.

This creates a bit of a dilemma for the CSPs. How to run a secure network and still have visibility in the subscribers?

Network visibility stays as a cornerstone to understanding what happens in the network. Despite the multi-layer security measures, the data flow and messages need to be decrypted before any actions can be done. The point of decryption allows having legitimate extraction of data, for example, from 5GC or User Plane data after it has run through Security GW.

The increasing number of attacks, regulators’ tightened requirements and a massive increase in data volumes demand the CSPs to plan the data extraction points more carefully and, in many cases, even add encapsulated encryption with anonymisation. With careful planning and the right solution, monitoring the data and getting insights into subscribers’ behaviour is still possible.

Remote network analysis with IOTA

Networks on remote sites can be tough to monitor. Often, there is limited visibility capability, and getting network engineers on location for onsite troubleshooting is costly and time-consuming.

When you need to capture and analyze data across multiple locations, Profitap IOTA offers an ideal packet capture and analysis solution consisting of EDGE and CORE models. The EDGE models are designed for easy troubleshooting on remote locations with onboard capture storage SSD, and integrated analysis dashboards.

Network bandwidth requirements for remote sites are usually lower, so relatively small and scalable solutions, such as the IOTA EDGE models, are the best fit. When expanding your business to new locations, IOTAs can be quickly added to the network, allowing for easy expansion of your network analysis needs on multiple locations.

A large fleet of remotely deployed IOTAs can be monitored centrally with the IOTA CM Centralized Management application, allowing complete network oversight.


Remote deployment diagram

As illustrated above, combining IOTA EDGE models and the IOTA CM, allows businesses to track real-time and historical network performance and troubleshoot issues flexibly and remotely. This is especially helpful in the case of intermittent network issues. Exploring long-term datasets accumulated over days, weeks, or months is possible, helping to identify trends and patterns, and comparing the performance against multiple locations.

With IOTA CM, it is possible to perform multi-segment analysis. With this feature, latency can be measured between different IOTA capture points.


IOTA Dashboard screenshot

The all-in-one IOTA solution is an ideal remote network performance monitoring solution. Many network parameters are now available to you at the click of a button, like VoIP, HTTP, Local Assets, Microburst, Modbus, SSL/TLS, TCP, Bandwidth, DNS, Host Details, and many more. IOTA will allow you to save costs, accelerate MTTR, and ensure system uptime.

Turbocharge remote network monitoring with IOTA

Solving 40G and 4x10G compatibility challenges

Growing networks bring a growth in data transmission speeds with them. Although this is usually a good thing regarding bandwidth capabilities, different transmission technologies can result in incompatibility problems between connections. For example, in the case of 40G and 4x10G connections.

4x10G and 40G are two high-speed data transmission technologies that are incompatible with each other because they utilize different protocols and data formats.

The difference between 40G and 4x10G

40G employs protocols such as 40GBASE-SR4 or 40GBASE-LR4 to transmit data at 40 gigabits per second (Gbps) over four optical fiber strands. It uses a multi-lane approach, where four lanes of 10Gbps data are multiplexed into a single 40Gbps stream.

In contrast, 4x10G leverages protocols such as 10GBASE-SR or 10GBASE-LR, which operate at 10 Gbps over a single optical fiber strand. It adopts a point-to-point connection, where two devices directly exchange data via a single link.

Data Format Differences

40G utilizes the QSFP+ (Quad Small Form-factor Pluggable) transceiver, capable of handling four parallel 10Gbps data streams. The QSFP+ encapsulates the data in a specialized format that aligns with the 40GBASE-SR4/LR4 protocol.

On the other hand, 4x10G employs SFP+ (Small Form-factor Pluggable+) transceivers, which are designed for single-lane 10Gbps connections. The SFP+ encapsulates the data in a different format, compatible with the 10GBASE-SR/LR protocol.

Compatibility Challenges

The incompatibility between 4x10G and 40G arises from the fundamental protocol and data format differences, preventing direct interoperability between the two technologies.

In other words, it’s not possible to directly connect 4x10G links into a QSFP+ port operation on the 40GBASE-SR4/LR4 protocol.

Network Packet Brokers bridge the incompatibility gap

Network Packet Brokers play an important role in bringing together traffic of different types and speeds. Deployed centrally in network monitoring architectures, NPBs optimize traffic flow between TAP and SPAN connections and network monitoring, security, and acceleration tools.

To accommodate incoming and outgoing traffic at different speeds, NPBs feature different port types, ranging from 1/10G SFP+ ports to higher speed ports such as 40/100G QSFP28 or even 100/400G QSFP-DD.


NPB Port illustration

In the management application, interfaces of Profitap network packet brokers can be split into four individual connections, allowing the use of breakout cables. QSFP+ can be split into 4x10G SFP+ connections, and QSFP28 ports can be divided into 4xSFP+ (10G) or 4xSFP28 (25G) ports.


NPB Interface

Because they are seen as separate ports on the NPB, they can operate at the corresponding protocol and data format of the incoming or outgoing connections, solving compatibility issues there could have been with a direct link.

This flexibility in port configuration highlights the adaptability, efficiency, and cost-effectiveness of Network Packet Brokers when handling a range of network configurations.