Table of Contents
5G is no longer an idea. It is here, and it is reshaping how service providers build, operate, and secure their networks. Workloads are moving to the edge, latency is becoming critical, and achieving flexible, adaptive security has never been more challenging.
At Cisco, we are leveraging our platform advantage to solve these problems with innovative architectures. Over the past couple of years, we have been hard at work—reshaping how we approach the evolving needs of mobile infrastructure security. Some of what I will share is already live with customers, and some is still being tested internally.
This is not a product launch or a roadmap. It is just a glimpse into what is keeping us busy and why I am so excited about what’s coming next.
Security Gateway: Designed for Scalability
Let’s begin with the Security Gateway.
We’ve already shipped distributed VPN on the Cisco Secure Firewall 4200 Series platform, with support coming soon to the Cisco Secure Firewall 6100 Series. This allows large IPsec tunnels to be spread across multiple cluster members (up to 16), providing near-linear scalability.
We also introduced loopback tunnel termination, which simplifies underlay routing and fault tolerance. When talking to our service provider clients, a recurring theme we hear from them is their search for new 5G use cases to generate revenue. This naturally pushes workloads closer to the edge, whether on telco cloud or public cloud.
For Open RAN deployments, Cilium CNI from Isovalent, now part of Cisco, provides native encryption at the OS layer across Kubernetes pods. For high-performance IPsec VMs, our three-year partnership with NVIDIA continues to deliver. We’re seeing impressive results in crypto offload and flow acceleration, and with some tuning, our Secure Firewall Threat Defense Virtual appliance can perform even better when top performance is critical.
Securing the Signaling Layer
The signaling layer in mobile networks remains one of the most challenging parts to secure. Like the rest of the industry, we’re continuously enhancing our inspection and filtering capabilities for GTP, Diameter, and SCTP, aligning with the latest 3GPP and GSMA standards.
We aim to incorporate location-aware Diameter filtering, PFCP inspection… and other advanced features, but standards are no longer sufficient.
Signaling attacks are becoming more sophisticated, and SOC and NOC teams require visibility and correlation that surpass basic detection.
That’s where Cisco’s strengths truly shine: AI and large language models supported by network telemetry and Cisco Talos threat intelligence. We’ve started experimenting with our open-source Cisco Foundation AI 8B model to understand whether these data sources can help identify mobile-specific threats. The goal is to explore how AI can assist in recognizing complex patterns across signaling protocols, not as a replacement for existing detection methods but as a complementary approach.
Another major challenge with securing signaling protocols is correlation. A classic example of this would be linking GTP-C and GTP-U sessions, which is notoriously difficult because these protocols are not necessarily destined for the same equipment. With the acquisition of Splunk, we are actively working to simplify and automate this correlation use case for our customers.
GI and N6 Firewall: Enhancing Visibility and Context
Performance is vital in mobile networks, and our 4200 and 6100 platforms deliver the speed and scalability operators need. The 6100 now supports over 80 instances, providing flexibility for large deployments.
A key differentiator is the Encrypted Visibility Engine, or EVE. It’s ideal for the N6 interface because it can detect compromised or infected subscribers even in fully encrypted traffic, protecting both performance and user experience.
We’re training EVE to recognize mobile-specific threat patterns and plan to make its insights shareable via APIs so other tools like DPI systems can utilize this information. We’re also exploring ways to make firewall policies more “mobile-aware.” One of the ways we are able to achieve this is by using eBPF tools to trace artifacts, such as IMSI and IMEI, from the packet core. By coupling eBPF with firewall technology, we can achieve more granular firewall policies.
And naturally, we keep advancing on CGNAT. Currently, we offer excellent performance and optimized logging. In the near future, we aim to add deterministic NAT and DS-lite along with dashboards in Grafana and Splunk to make monitoring and troubleshooting more straightforward.
Packet Core Microsegmentation
Recently, 3GPP made it a requirement to implement microsegmentation, mTLS, 0Auth, and encryption inside the packet core. This requirement emphasizes the importance mitigating unauthorized lateral movement as a standard practice, however, deploying these controls are challenging for many service provider organizations.
Cilium CNI from Isovalent helps simplify meeting this requirement by providing identity-aware segmentation, mTLS, and 0Auth built in. Operators can apply the required 3GPP controls through a single enforcement model, simplifying operations for many service providers and helping them more easily meet compliance.
With Hypershield soon to be available on-premises and powered by Isovalent runtime security, we take proactive security to the next level by introducing Distributed Exploit Protection. This capability leverages the Tetragon agent to automatically inform us about vulnerabilities before patches are released and provide targeted compensating controls—a crucial advantage to minimize risk exposure where uptime is critical.
Final Thoughts
As mentioned earlier, this isn’t a roadmap or marketing pitch. It’s a window into what Cisco teams are building to make mobile infrastructure smarter, safer, and more resilient.
Some features are already available, others are still in development, but all aim to help service providers stay ahead of what’s next.
I’ll share more details and live demos during upcoming Cisco Live sessions. Stay tuned, we’re just getting started.
You can register for Cisco Live Amsterdam 2026.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
