Path Governance for Carrier Networks
Telecommunications infrastructure carries the data of entire nations. When management planes are compromised, attackers do not just reach one organisation. They reach every organisation that relies on the network.
Telecoms
Telecommunications networks are national infrastructure. If the management plane is reachable from the data plane, every subscriber and every organisation relying on that network is exposed.
100%
Management plane isolation from subscriber traffic
Zero
Persistent third-party access to core systems
4
Network zones with independent governance
Full
Ofcom and NIS2 compliance evidence
Carrier networks face persistent, sophisticated threats.
Management Plane Exposure
Core network management interfaces remain reachable from the same paths that carry subscriber traffic, creating lateral movement opportunities.
Vendor Access Risks
Equipment vendors require ongoing access for maintenance, creating persistent pathways that attackers exploit through supply chain compromise.
Signalling Exploitation
SS7 and Diameter signalling vulnerabilities allow interception and redirection of subscriber communications across interconnected networks.
The Scenario
Scenario: Core Network Management Compromise
An advanced persistent threat group compromises a vendor remote access portal used for routine maintenance on mobile core equipment. Over six weeks, they escalate privileges from the vendor management VLAN into the packet core, gaining access to subscriber location data and call routing tables. The attackers redirect traffic for targeted individuals through compromised nodes for interception. With Firevault Control, the vendor access path is physically severed outside maintenance windows. The management plane exists on a separate, disconnected network that requires multi-party authorisation to activate. The attack vector ceases to exist between scheduled maintenance periods.
"We had 14 vendor access paths into our core network. Each one was a logical separation that looked solid on paper. When we mapped the actual reachability, every single one could be traversed with sufficient privilege escalation."
Where each Control module is deployed across BSS, OSS, the core network and the edge.
Telecoms operators run business systems, an OSS that manages the network, a packet core and signalling, and RAN and edge equipment that reaches the subscriber. Control puts a real boundary at each layer.
Grounded in 3GPP / ETSI security architecture, NIS2 telecoms Annex and ENISA 5G threat landscape guidance.
Internet / Roaming
External
External traffic stops at the perimeter.
Business systems (BSS)
IT
BSS cannot reach OSS directly.
Network ops (OSS)
IT
Cross-domain actions are approved and named.
Telecoms DMZ
DMZ · trust boundary
Network changes move on scheduled routes.
Packet core / signalling
OT
Subscriber identity and the control plane.
Subscriber identity and the control plane.
Pushing to the edge needs the right approval.
RAN and edge
Field
Vendor access opens on a schedule and closes again.
Vendor zone
DMZ · trust boundary
Crown jewels
Off-network
Detail callout · A
Offline Secure Storage
Network configurations, subscriber records, evidence and any data you need to keep recoverable.
Offline by design · secure by defaultModules & symbols
Where each module is deployed, and what it does there.
One row per module. Placement on the network, then plain-English purpose at that point.
-
Firebreak
On the T0 to T1 link and the vendor link
Real hardware off switches on the public and vendor boundaries, ready to sever the live path when an incident is called.
-
Validate
On the T0 to T1 link, the T1 to T2 link and inside the DMZ
Requests crossing into trusted estates are checked for origin, integrity and authority.
-
Isolate
On the T1 to T2 link
Business and network operations sit on their own fabrics. A BSS compromise does not reach the core.
-
Lock
On the T2 to DMZ link, the T3 to T4 link and the vendor link
Access into the core, the edge and from vendors ties to named operators with the right authority.
-
Execute
On the T2 to DMZ link and the T3 to T4 link
Pushing a change holds until the right approval is in place.
-
Relay
Inside the DMZ and on the vendor link
Movement between domains and from vendors exists for the window of work and not a minute more.
-
Unlink
On the vendor link
When a vendor relationship ends, Unlink removes the persistent connection and the inherited trust.
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Sovereign Data Paths
All management and configuration data remains within the agreed jurisdiction in NATO-approved Firevault Bunkers, never transiting public cloud or foreign infrastructure.
Multi-Party Vendor Access
Vendor maintenance sessions require sign-off from both the vendor team and internal network security before any access path is activated.
Ofcom and NIS2 Evidence
Automated compliance logging maps directly to Ofcom security requirements and NIS2 Article 21 outcomes for telecoms operators.
Out-of-Band Management
Dedicated cellular connectivity provides control plane access independent of the carrier network itself, ensuring management capability during network-wide incidents.
Immutable Audit Trail
Every vendor session, configuration change, and access authorisation is recorded in tamper-proof logs stored on physically separate infrastructure.
Verified Core Configuration Baselines
Verified baselines of core network configuration enable restoration of control-plane state during total network compromise scenarios.
Demo to Live
Adoption Guide
Network Path Audit
Map every vendor, management, and signalling path into your core network infrastructure, identifying persistent connections and reachability gaps.
Zone Architecture Design
Design physically separated network zones for management, signalling, subscriber data, and vendor access with Control module assignments for each boundary.
Controlled Pilot
Deploy in a non-production network segment with full vendor access governance, multi-party authorisation, and session logging to validate operational procedures.
Core Network Deployment
Full deployment across core network infrastructure with verified configuration baselines, continuous compliance evidence generation, and 24/7 out-of-band management.
Network Path Audit
Map every vendor, management, and signalling path into your core network infrastructure, identifying persistent connections and reachability gaps.
Zone Architecture Design
Design physically separated network zones for management, signalling, subscriber data, and vendor access with Control module assignments for each boundary.
Controlled Pilot
Deploy in a non-production network segment with full vendor access governance, multi-party authorisation, and session logging to validate operational procedures.
Core Network Deployment
Full deployment across core network infrastructure with verified configuration baselines, continuous compliance evidence generation, and 24/7 out-of-band management.
Questions
Frequently Asked
Speak to the team to organise a PoC
Walk through your blueprint with the Firevault team and scope a proof of concept on your estate. 30 minutes, no sales pitch.