Backhaul Security Gateway

Secure links between the access and core network

For a Communication Service Provider, it is critical to secure the traffic from the remote base-stations sites coming into the core network. Traffic is transported over a range of different technologies on connectivity infrastructure that may be supplied by 3rd parties.

Traffic needs to therefor be encrypted. Also as physical security may be compromised where the base-station is installed, the access gateway receiving traffic needs to validate the authenticity of the traffic.


Backhaul Security Gateway

This solution focuses on securing the access traffic with high performant encryption and decryption capabilities. The eNodeBs establish a VPN tunnel to the Backhaul Security Gateway over the X2 interface. The traffic from the base-stations to the core will be secured with IPsec regardless of transport method, and at the core network a highly scalable efficient backhaul gateway is needed to decrypt all the traffic before enabling communication with the core network nodes. Certificate authentication is built in to validate nodes and prevent unauthorized access. This prevents rogue eNodeBs to connect to the network. CMPv2 – Certificate Manager Protocol v2 compliancy ensures compatibility with eNodeB from all major vendors. The Backhaul Security Gateway may also be used to check inside the GTP signalling in order to validate its contents

It is tempting to use dedicated hardware to manage decryption and encryption of traffic. In modern virtualized networks however, this will hurt the advantages that NFV/SDN bring, including elasticity, dynamic scaling and sharing of hardware resources. Virtualised performance is therefor of major importance and will be aided by compatibility with new technologies such as Intel Quick Assist Technology.

Clavister Service-Based Firewall Report

Heavy Reading Analyst Jim Hodges explains why traditional firewalls are not sufficient for architectures prepairing for 5G and Next Generaiton Core networks.

Topics covered in this white paper include

  • How the 5G Service Based Architecture (SBA) core network and associated capabilities such as 5G slicing will drive new security enforcement firewall functionality
  • The security firewall requirements associated with managing the 5G cloud-distributed new radio (NR) access network
  • The implication of these technologies on existing cloud-based Firewall as a Service (FWaaS) deployments
  • Clavister’s product strategy for dealing with these new service-driven firewall requirements



High performance virtual IPSec encryption and decryption


Rouge eNodeB protection


Elastic scaling with NFV/SDN networks

Use Cases included in this solution


Reliable Secure VPN

Connecting branch offices and remote locations securely and cost effectively



Network perimeter protection securing IT resources and users


Control Signalling Validation

Gateway function for specific signalling validation including GTP and SCTP


Virtual Models

High performance virtualized security gateways designed for new carrier networks based on NFV/SDN.

Get in touch! It will only take a minute