5G Security Edge Protection Proxy (SEPP)

TITAN.IUM PRODUCT

Security Edge Protection Proxy Overview

Mobile interconnect fraud is an expensive problem in the 2G/3G/4G world. In developing standards for 5G, 3GPP called for secure communications between home and visited 5G networks. The task of implementing that security was mandated to a new network element, the Security Edge Protection Proxy (SEPP).

The SEPP performs many critical functions to fulfill this mandate. Key among them are:

Act as a secure signaling relay between PLMNs
Provide a mutually authenticated secure communication path between networks
Act as a reverse proxy, providing a single point of access to all network functions
Provide inter-PLMN topology hiding
Provide traffic filtering, policing and overload protection

sepp overview

5G SEPP Business Benefits

Provides standards-compliant secure interworking between home and visited 5G PLMNs, virtually eliminating mobile interconnect fraud for 5G roamers.

Implements a key element of the 5G Core “security by design” architecture.
Incorporates a powerful Rules Engine enabling highly flexible message filtering and routing as well as customer provisioned rules entry.
Delivered on Titan.ium’s InterGENerational^TM cloud native framework.
Provides “capacity on demand” via cloud native fully containerized implementation.
Extremely flexible deployment models: on premises or in the cloud, via Containers.

The Titan.ium 5G SEPP Solution

PLMN SEPP type

Forwards requests between PLMN core (SBI) and external networks(N32).

Local SEPP – SEPP inside a PLMN.
Outsourced SEPP – SEPP in an IPX serving a customer MNO with no local SEPP.

PLMN SEPP type

IPX SEPP type

Forwards requests between external networks. Has no core network (SBI) attached.

Hosted SEPP – SEPP in an IPX serving a customer MNO that has a local/outsourced SEPP.
Multi-tenant Hosted SEPP: SEPP in an IPX serving multiple customer MNOs having local/outsourced SEPP, with dedicated FQDN for each customer MNO in the public interface towards 3rd party operators.
Service-HUB SEPP – SEPP in an IPX/RHUB serving multiple customer MNOs with local/outsourced SEPP, with a single FQDN belonging to the IPX/RHUB in the public interface towards 3rd party operators.

IPX SEPP type

5G SEPP Key Capabilities

Secure Inter-PLMN Communications

SEPP provides secure end-to-end inter-PLMN communications using security negotiation over the N32-c link and inter-PLMN NF message forwarding over the N32-f link, protected by the agreed TLS mutual authentication, Server Name Indication (SNI) support and TLSv1.2/TLSv1.3.

5G Standards Compliant

SEPP supports 3GPP TS 23.501, TS 23.502, TS 29.573, and TS 33.501 standards, along with GSMA FS.36.

High Performance HTTP/2 Stack

SEPP relies on a high-performance HTTP/2 stack with rich configuration options, including connections, buffers, traffic classes, and TLS.

Anti-Spoofing Protection

SEPP verifies that the sending SEPP is authorized to use the PLMN ID they are asserting and performs full cross layer validation of FQDN/PLMN IDs. Spoofed messages can be dropped, rejected, etc.

Message Filtering, Rate Limiting, Overload Protection

SEPP provides message filtering (e.g.: blocking of messages that should not target home subscribers), full stack parameter checking, malformed message protection and rate limiting/overload protection.

PLMN Topology Hiding, Telescopic FQDNs

Titan.ium’s SEPP provides full support for Topology Hiding, masking internal network element details from external PLMNs. This is accomplished by obscuring internal network node information via full telescopic FQDNs generated using TLS wildcard certificates.

Dissectors

SEPP’s Dissector facility includes predefined and user-defined HTTP/2 dissectors allowing retrieval of any information element contained in an HTTP/2 message, which can then be used for filtering and routing.

Dissector-based Rules Engine

Filtering and routing processing is supported by SEPP’s powerful Rules Engine allowing provisionable logical expressions (And/Or/Not) on one or more HTTP/2 information elements as needed. Also provided are pre-defined functions that can be applied to optimize user provisionable rule entry.

Flexible Message Routing

Titan.ium’s SEPP implements highly flexible routing of messages between home and visited PLMNs based on rules for matching criteria. This allows any HTTP/2 information element to be used in any routing decision.

Secure Local Key Management

SEPP provides a secure local capability for N32 key management, storage and recall.

Statistics and Key Performance Indicators (KPI)

SEPP generates statistics and KPIs that can be retrieved by external servers and used for health and performance tracking purposes. It also uses these statistics for congestion control and for routing decisions based on load/latency of route entries.

Highly Flexible Deployment Models

SEPP supports a wide range of on-premise and cloud-based deployment models, easing network integration. It can be delivered on existing customer-provided CNF infrastructure or on existing
customer-provided VNF infrastructure.

5G SEPP Optional Features

The following features may optionally be added to the SEPP deployment as needed.

HTTP2 Message Transformation

This feature enables the operator to invoke configurable message Dissectors and Rules-based Actions to transform message content as needed, for example to aid in 5G to 3G/4G interworking.

HTTP2 Traffic Mirroring

Traffic mirroring interface towards external Probing/Monitoring/Analytics system via gRPC protocol. It provides observability over alarms, events and statistics.

Message Screening

This feature enables the operator to invoke rule-instances using rule-engine, functions and dissectors to identify messages to be blocked.

Additional Related Products

Titan.ium also offers an Element Management System (EMS) system which may be used forcentralized configuration, performance and fault management of distributed SEPPs as needed.

5G Container-Native Architecture

The SEPP is implemented as a set of containerized micro-services, decomposed into the following; Service-Router function; SEPP compute front-end functions; and back-end Data Store micro-service for persistent storage. All component micro-services may be replicated within a Kubernetes (K8S) Cluster both for resiliency & scalability purposes. In addition, two or more K8S Clusters may comprise a single Titan.ium system deployment to achieve multi-site system geo-redundancy, with cross-site Datastore replication to assure a common view of SEPP persistent data.

The Service-Router provides HTTP1/2 routing services & securely exposes SBI interfaces to external IP networks. All Titan.ium 5G NF’s share a common “Network Function Control Agent” (NFCA) microservice responsible for common NF management, e.g., to handle Registration of NF-Profiles to their assigned NRF(s) and keep these NF-Profile registrations up to date via heart-beats.