Why virtual cores matter in telecom security labs
Security work on mobile networks needs realistic control and user plane behavior. A virtual core lets teams reproduce procedures such as attach, bearer setup, SIP registration, and VoLTE call flows inside an isolated environment. This supports safe testing, repeatability, and faster iteration.
What a Virtual EPC is
EPC is the LTE core that manages mobility, sessions, and data paths. In a virtual EPC, the same logical functions run as software components.
Key elements most labs include
• MME for NAS signaling and session control
• HSS for subscriber data and authentication vectors
• SGW and PGW as data plane anchors and IP routing points
• PCRF for policy and charging rules
• Optional eNB or gNB simulators and traffic generators for end to end flow
With these pieces, labs can emulate common procedures such as attach, handover at a functional level, default and dedicated bearer management, and policy enforcement.
What a Virtual IMS is
IMS provides IP multimedia services used by VoLTE and VoWiFi. A virtual IMS reproduces core SIP and Diameter based functions.
Typical components
• P-CSCF, I-CSCF, S-CSCF for SIP signaling and service control
• HSS or UDM for subscriber and service profile data
• Media resources such as MGW or a simple RTP endpoint for call testing
• Application servers when service logic needs to be exercised
This enables registration, call setup, and service feature testing under controlled conditions.
What security teams do with virtual cores
Use cases that are common and well supported in labs
• Reproducing signaling edge cases to verify robustness
• Fuzzing at protocol boundaries such as NAS, GTP-C, SIP, and selected Diameter interfaces inside the lab
• Measuring the impact of malformed or state-desync sequences on session management and service continuity
• Creating labeled datasets for detection logic by generating known patterns in a controlled timeline
• Validating configuration hardening before rollout
All of the above stays inside the lab and does not require production connectivity.
Building blocks that are widely used
Teams typically combine the virtual core with open and commercial tools. Examples of widely used open components
• Open5GS or srsRAN for LTE core and RAN simulation
• Kamailio or OpenSIPS for SIP control plane experiments
• FreeSWITCH or Asterisk for simple media handling
• Common traffic and packet tools such as tcpreplay, Scapy, and iperf for repeatable flows
These projects are broadly adopted in research and lab contexts and are suitable for controlled experiments when configured correctly.
Good lab practices
To keep results reliable and reproducible
• Isolate the lab network and document every external interface
• Version the full lab configuration including subscriber data and test inputs
• Record packet captures at defined tap points for later analysis
• Use time synchronization across components to align logs and traces
• Reset state between test runs to avoid hidden dependencies
• Keep a clear boundary between functional testing and security stress testing
Notes on 5G and cloud environments
Many teams now run virtual cores on virtual machines or containers. The same discipline applies
• Define resource limits and observe CPU and timing effects
• Pin versions of images and Helm charts if using Kubernetes
• Capture control and user plane traces at consistent points to compare runs
5G introduces functions such as AMF and SMF and a service based architecture. Labs can extend gradually, starting with LTE core and IMS, then adding 5G components when a test requires them.
Takeaways
• Virtual EPC and IMS provide realistic, isolated environments for repeatable telecom security testing
• They cover the procedures most security teams need, including attach, bearer management, SIP registration, and call setup
• Open components like Open5GS, srsRAN, Kamailio, and FreeSWITCH are commonly used to assemble these labs
• Careful isolation, versioning, and measurement turn a virtual core into a dependable security testbed
