How is the LTE backhaul (the S1 link between base station and core network) protected?
Traffic over the S1 backhaul interface is confidentiality-protected using IPsec tunnels between the eNodeB and a Security Gateway (SEG), implemented with hardware security devices — but per 3GPP TS 33.401 §13, IPsec is not required if the S1 interfaces are trusted (e.g. physically protected).
The backhaul protection:
- The concern: confidentiality of traffic on the S1 interface (the backhaul link between the eNodeB and the core)
- Hardware security devices implement the protection
- Security Gateways (SEG) sit at the core edge
- An IPsec tunnel is established between the eNodeB and the SEG
The conditional exemption (3GPP TS 33.401 – 13):
If the S1 management-plane interfaces are trusted (e.g., physically protected), the use of IPsec/IKEv2-based protection (or equivalent) is not required.
Why this matters: the air interface gets the most attention, but the backhaul carries the same user traffic over (often) leased lines or microwave links. LTE secures it with IPsec — but again optionally, conditioned on physical trust. An operator who assumes their backhaul is "physically protected" when it isn't creates a real exposure.
The big-picture pattern of LTE security: strong tools (IPsec backhaul, AKA mutual auth, three cipher choices) — but repeatedly optional/conditional, which is the seam attackers and auditors probe.
Go deeper:
IPsec (Wikipedia) — the IKEv2 tunnel-mode mechanism that protects the eNodeB↔SEG S1 link.