Home
/
Blog
/

SEPP Security in 5G Roaming: How the Security Edge Protection Proxy Protects Inter Operator Trust

Learn how SEPP security works in 5G roaming, why the N32 interface matters, what threats affect inter operator signaling, and how mobile operators can secure 5G SA roaming.

Research
Mar 25, 2026
SEPP Security in 5G Roaming: How the Security Edge Protection Proxy Protects Inter Operator Trust

SEPP Security in 5G Roaming: How the Security Edge Protection Proxy Protects Inter Operator Trust

Roaming security has always been a trust problem.

The difference in 5G is that the industry finally stopped pretending that inter operator trust should work on optimism alone.

That is where SEPP comes in.

The Security Edge Protection Proxy, or SEPP, is one of the most important security components in 5G SA roaming because it is designed to protect communication between operators across the N32 interface. In simple terms, it sits at the edge of trust between mobile networks and helps secure service based inter PLMN communication. That alone makes it strategically important. But what makes SEPP especially interesting is that many people talk about it as if its existence automatically solves roaming security. It does not.

SEPP improves the security model of 5G roaming. It does not eliminate bad trust decisions, weak policy design, poor visibility, weak certificate hygiene, or sloppy operational assumptions. That is exactly why SEPP security deserves a serious article of its own.

A lot of roaming security content still stays too abstract. It explains that SEPP exists, mentions N32, says 5G is more secure than legacy roaming, and stops there. Real deployments are not that neat. In production, the important questions are much more practical. What exactly is being protected? What remains exposed if policy is weak? What happens when trust is delegated? Where do operators lose visibility? What do attackers look for when the architecture is standards aligned but operationally soft?

Those are the questions that matter if your goal is to protect real 5G roaming, not just pass an architecture review.

What is SEPP in 5G roaming?

SEPP stands for Security Edge Protection Proxy.

In 5G SA roaming, it is the security function that protects service based communication between different public land mobile networks across the N32 interface. In plain English, each operator places a trusted security gateway at the roaming edge, and those gateways help enforce how inter operator communication is secured and controlled. 3GPP’s roaming security overview describes SEPP as central to end to end security for different 5G roaming deployment models, and ETSI’s TS 29.573 defines the stage 3 protocol and APIs for the PLMN interconnection interface, N32.

That sounds straightforward. But the real value of SEPP is not just that it exists. The value is that it changes how operators think about roaming trust.

Legacy roaming often relied on assumptions that were too broad, too inherited, and too comfortable. 5G roaming security introduces more explicit mechanisms for protecting inter operator communication, but explicit does not mean foolproof. A SEPP can only enforce a strong trust model if the underlying policies, identities, and operational controls are also strong.

That is the first important lesson.

SEPP is not magic. SEPP is a security control. Like every security control, it is only as good as the architecture and operations wrapped around it.

Why SEPP exists in 5G SA roaming

5G SA roaming needed a better trust boundary.

As operators moved toward service based communication, the roaming edge could no longer rely on the old habit of broad interconnect trust with security added as a hopeful afterthought. The architecture needed a way to secure communication between operators at the service layer, not just at the network pipe level. SEPP exists because inter PLMN service communication in 5G needs protection, mediation, policy enforcement, and a cleaner trust model than legacy roaming gave us. 3GPP’s roaming security page explicitly presents SEPP as part of the 5G roaming security solution introduced from Release 15 onward to address gaps that existed in legacy networks.

That is the strategic reason.

The practical reason is even simpler: roaming is one of those environments where everything works nicely until too many parties trust too much. Operators, roaming hubs, IPX providers, delegated management models, policy intermediaries, and service based interfaces all create a system where trust is distributed. Distributed trust is useful for connectivity. It is also excellent at hiding risk.

SEPP helps constrain that risk by making roaming security more explicit. It gives operators a defined security function at the interconnection boundary instead of relying on inherited faith in the roaming ecosystem.

A healthy improvement.

Also a place where many teams become overconfident.

How the N32 interface fits into roaming security

The N32 interface is the inter PLMN interface used for service based communication between operators in 5G roaming. ETSI’s TS 29.573 specifically defines protocol behavior and APIs for N32 procedures, which is why N32 is not just a label in a diagram. It is the actual security relevant boundary where roaming trust becomes implementation reality.

This matters because roaming security is no longer only about whether one operator can connect to another. It is about how service based messages cross organizational boundaries, what gets protected, what gets modified, what stays visible, and what each side is expected to trust.

In other words, N32 is where architecture turns into consequences.

That is why N32 should not be treated as a generic interconnect topic. It is one of the most security sensitive interfaces in 5G SA roaming because it carries the trust relationship between operators in a structured, service based way. If the protections around that trust are weak, then the problem is no longer just connectivity risk. It becomes security policy failure at the roaming edge.

And edge trust failures have a habit of spreading.

What SEPP protects and what it does not

SEPP is meant to protect inter operator service communication. That is the starting point.

It can help secure traffic on the roaming edge, support policy driven protection, and provide a more disciplined trust model for N32 communication. 3GPP and ETSI materials describe SEPP handling N32 security functions including message forwarding decisions and cryptographic protection related to roaming communication.

But here is the part that matters for actual security engineering: SEPP does not automatically fix everything around it.

It does not fix weak certificate lifecycle management.

It does not fix poor trust delegation decisions.

It does not fix bad logging.

It does not fix operators granting too much implicit confidence to external dependencies.

It does not fix architecture sprawl created by intermediaries and outsourced operational models.

It does not fix weak internal decision making about what should actually be allowed across roaming boundaries.

That distinction matters because teams often talk about SEPP as if it is a box you deploy and then move on. That is not how strong roaming security works. A SEPP can protect the interconnect boundary. It cannot rescue a careless trust model.

Security controls are not life coaches.

Common SEPP security risks and misconfigurations

The first risk is treating SEPP deployment as the end of the problem.

This is the most common architectural mistake. The team implements SEPP, confirms standards alignment, and mentally downgrades roaming risk. That is exactly when attention starts dropping around policy discipline, certificate operations, and visibility.

The second risk is weak trust policy design.

A SEPP is only useful if the rules around protection, forwarding, modification, and trust boundaries are narrowly and deliberately defined. Broad trust policies defeat the whole point of introducing explicit security at the roaming edge.

The third risk is poor key and certificate hygiene.

Roaming security is not just about cryptographic capability. It is about cryptographic operations. If trust anchors, certificate updates, or renewal processes are brittle, operators start creating the kind of exceptions that quietly turn strong architecture into weak practice.

The fourth risk is blind trust in delegated or intermediary models.

GSMA material has discussed different 5G SA roaming models, including delegated SEPP management and intermediary driven approaches. That is operationally useful, but it also means the trust model can become more layered and more complex. More layers usually mean more assumptions. More assumptions usually mean more risk.

The fifth risk is weak observability at the roaming edge.

Many teams can confirm that traffic crossed the boundary. Fewer can confidently explain whether the policy outcome was appropriate, whether a change in behavior is suspicious, or whether a new inter operator dependency path has appeared quietly over time.

The sixth risk is thinking secure transport equals secure behavior.

This is one of the classic modern security mistakes. Protected transport matters. It does not replace good authorization logic, narrow trust boundaries, or strong monitoring.

How attackers think about 5G roaming trust boundaries

Attackers care about where trust becomes negotiable.

That is why roaming boundaries are attractive.

The roaming edge is a place where multiple organizations need to interoperate, where service communication crosses business boundaries, and where security has to remain functional under real world complexity. That combination is extremely useful for defenders when it is managed well. It is also very interesting for attackers because every operational shortcut, every delegated assumption, and every overly broad policy becomes more valuable at a boundary than it would inside a single tightly governed domain.

An attacker does not need the SEPP concept to fail. They need the implementation around it to become a little softer than it should be.

Maybe a trust decision is too broad.

Maybe policy is too permissive.

Maybe certificate operations are messy.

Maybe visibility is weak.

Maybe an intermediary relationship is understood operationally but not understood security wise.

That is how boundary systems become attack surfaces. Not because the standards forgot security. Because real environments always contain friction, and friction creates exceptions.

Attackers are very interested in exceptions.

SEPP logging, visibility, and incident response gaps

One of the easiest ways to overestimate roaming security is to confuse protection with visibility.

A control can be present and still be hard to investigate.

SEPP security is strongest when operators can answer not just whether communication was protected, but also whether it was expected, policy compliant, and operationally normal. That requires more than event logs. It requires visibility into trust decisions, certificate state, policy matches, inter operator behavior patterns, and changes in communication baselines over time.

This is where many environments get weaker than they realize.

They can show that roaming traffic was secured.

They cannot always show whether a specific service path was appropriate.

They can show the architecture.

They cannot always explain the behavior.

That gap matters during incident response because roaming incidents are rarely improved by vague answers. If something unusual happens at the interconnect edge, teams need to know what changed, what was trusted, why it was allowed, and which policy or identity decision enabled it. Without that level of visibility, the incident review becomes guesswork with better diagrams.

Never ideal.

SEPP hardening checklist for mobile operators

Start with the obvious: deploy SEPP as part of a deliberate trust architecture, not as a compliance decoration.

Enforce strict policy design across inter operator communication. Narrow is better than convenient.

Treat certificates and key management as first class security operations. If renewal and rotation are painful, they will eventually become insecure.

Minimize assumptions around delegated trust models. If another party manages part of the roaming edge, that does not reduce your risk. It changes its shape.

Log enough context to investigate policy decisions, trust failures, certificate anomalies, and unusual communication patterns.

Continuously review whether the set of allowed interactions still matches the actual roaming design. Architecture drift is real.

Test failure cases, not just normal flows. Expired certificates, stale trust relationships, policy mismatches, and intermediary disruptions reveal the truth faster than happy path validation ever will.

And most importantly, remember that the goal is not to deploy a security component. The goal is to make inter operator trust harder to abuse.

That is a more useful benchmark.

Common mistakes operators make with SEPP

One mistake is assuming that 5G roaming is secure simply because the architecture is newer than legacy roaming.

Newer does not mean immune. It usually means differently exposed.

Another mistake is focusing on transport protection while underinvesting in policy governance.

Another is treating delegated SEPP models as purely operational choices rather than trust architecture choices.

Another is underestimating certificate operations until renewal pain starts generating shortcuts.

Another is accepting weak visibility because “the roaming edge is already protected.”

And one of the most damaging mistakes is assuming that standards aligned equals production hardened. Standards matter. Production discipline matters more.

Why SEPP security matters now

SEPP matters because 5G SA roaming is moving from architecture roadmap to operational reality, and the security boundary between operators becomes more important as those deployments grow. GSMA’s 5G security guidance highlights new mutual authentication and interconnect era controls in 5G, while 3GPP and ETSI continue to define and refine the N32 and roaming security framework that SEPP supports.

That makes SEPP security highly relevant for operators, roaming teams, telecom security engineers, and anyone responsible for 5G core interconnection risk.

Not because it is trendy.

Because it is one of the few places where architecture, trust, and inter operator reality collide directly.

And those collisions deserve attention.

Final thoughts

SEPP is one of the most important security controls in 5G roaming, but it should never be treated as a shortcut to confidence.

It exists because the industry needed a more explicit trust model at the roaming edge. That is a real improvement. But the presence of SEPP does not remove the hard work. Operators still need narrow policies, strong certificate hygiene, disciplined trust decisions, useful logging, and enough operational visibility to spot when “valid communication” becomes dangerous communication.

That is the real lesson.

5G roaming security is not just about securing traffic between operators. It is about deciding exactly how much trust should cross that boundary and proving that the answer still holds in production.

SEPP helps.

Blind confidence does not.

FAQ

What is SEPP in 5G roaming?

SEPP stands for Security Edge Protection Proxy. It is the security function used in 5G SA roaming to protect service based communication between operators across the N32 interface.

Why is SEPP important in 5G roaming?

Because it creates a more explicit and controlled security boundary between mobile networks during roaming, rather than relying on broad inherited trust.

What is the N32 interface in 5G?

N32 is the inter PLMN service based interface used between operators in 5G roaming. It is a key trust boundary in 5G SA roaming architecture.

Does SEPP solve all roaming security problems?

No. SEPP improves the security model, but it does not fix weak policy design, poor certificate operations, weak visibility, or unsafe trust assumptions around delegated models.

What are the biggest SEPP security risks?

The biggest risks are overly broad trust policies, poor certificate hygiene, weak visibility, bad delegation assumptions, and confusing secure transport with secure behavior.

How should operators harden SEPP?

Operators should enforce narrow policies, manage keys and certificates carefully, validate delegated trust models, improve interconnect visibility, and regularly test edge failure scenarios.

Is SEPP only relevant for compliance?

No. SEPP is operationally important because it protects one of the most security sensitive boundaries in 5G roaming: communication between operators.

Summary
Download our whitepaper

LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Be informed

SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers’ lives much harder on mobile networks

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Towards Harmonization: Mapping EU Telecom Security Regulations and their evolution

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.