Security for LTE Networks

Nexus PKI platform for securing LTE networks

For Telcos that want to grow and adapt to future possibilities with the internet of things (IoT) and 5G, a mature and flexible public key infrastructure (PKI) platform is needed. Telcos must encrypt the communication on the backhaul if it goest through public networks. The most important considerations when choosing security for LTE infrastructures are:

  • High security
  • Protection against internal threats
  • Vendor-independence
  • Automatic certificate enrollment
  • Multiple use cases and multi-tenancy

High security

Strong authentication and encryption are crucial to secure the communication between eNodeBs and security gateways, as well as between eNodeBs and their operations support systems (OSS). Encryption tunnels using certificate-based authentication, instead of passwords, ensure high security, scalability and automation.

Nexus’s mature and reliable PKI component framework provides the widest range of certificate issuing and management protocols on the market. This means that any standards-based network element, server, personal computer (or smart card for that matter) can get the certificates necessary to establish the highest trust across the complete mobile network from the base stations and deep into the core network.

Using the Nexus PKI platform enables mobile network operators to increase the level of protection and security in their LTE networks. The robustness and readiness of the Nexus software improves the overall availability of the LTE infrastructure and becomes an excellet tool for providing good governance and efficient security management.

Protection against internal threats

Internal threats to the system also need to be considered. Nexus’ PKI platform has functionality to protect from internal threats that most other PKI platforms do not include:

  • Multi-person control can be enforced to security-sensitive operations, so that different roles must be involved in security critical operations.
  • Out-of-the-box strong authentication is enforced to access the security infrastructure.
  • All event logs are digitally signed and therefore protected against manipulation.


When choosing an LTE network security solution, it is important to consider the need for a vendor independent security solution. A PKI solution provided by the telecom equipment vendor could be relevant when the network is limited to single vendor base stations. However, as soon as base stations from various vendors are included in the network, an independent solution is needed. This scenario will become increasingly common.

The Nexus PKI platform already supports LTE network devices from Airspan, CommScope, Alcatel Lucent, Cisco, Ericsson, Fortinet, Huawei, Juniper, and Nokia networks, and the list of supported vendors is continuously growing.

Automatic certificate enrollment

Automatic certificate enrollment, instead of doing the work manually, leads to lower costs, less administration and no risk of human error.

Nexus’ PKI platform has an automated process for issuing certificates and allows full lifecycle management including device registration, certificate request authentication, certificate renewal, and revocation.

For the auto-enrollment and lifecycle management of the machine certificates, the PKI platform uses the standard protocols Simple Certificate Enrollment Protocol (SCEP) and Certificate Management Protocol (CMPv2). These protocols are used to request and renew machine certificates from the certificates authorities (CA) of the corporate PKI.

Multiple use cases and multitenancy

Apart from protecting the base stations, there are many other use cases for certificates. Users and back-end servers also need protection. A Nexus PKI platform installation also handles these types of certificates well.

Support for a wide range of certificate issuing and management protocols makes it possible to include any other PKI use case found in corporates, including out-of-the-box integration with internal IT systems such as servers, authentication clients and smart cards.

Multitenancy allows multiple CAs for different client organizations and use cases to run in a single service environment. Nexus’ PKI platform is truly multitenant. Each CA can be managed with separation of individual policies, issuing and maintenance processes, and separate groups of policy administrators in one platform.

Why Nexus?

Mobile network operators meet many challenges in protecting the LTE infrastructure, and many more challenges will come in the future. For the Telcos that wants to grow and adapt to future possibilities with IoT and 5G, a mature and flexible PKI platform is needed. The Nexus PKI platform creates flexibility about choice of vendors, and with an independent PKI platform, operators can increase and maintain security today and keep the security platform untouched when technology upgrades are needed.

Nexus’ PKI platform scales well in large device volume networks and helps the operator guarantee high availability by supporting automation of manual processes, local high availability, load sharing using load balancers, and geo-redundancy support for appropriate disaster recovery plans.

Nexus’ PKI platform is not limited in terms of number of CA’s or certificate templates which makes it ideally suited to be the foundation of a global or national PKI service for a mobile operator. It supports multiple standards and protocols suitable for Telcoms, such as ACME, 3GPP, EST (Enrollment over Secure Transport, RFC 7030), SCEP, and CMPv2.

For more information on supported LTE devices and protocols, click here.

Customer Case Study: Discover how Vodafone Turkey keeps its rapidly growing network in check with LTE technology using public key infrastructure (PKI) from Nexus.


News, customer cases and blog posts