Private 5G networks for military installations: architecture and security

By Corvus Intelligence Engineering Team · About the team →

June 23, 2026 10 min read

Private 5G networks have moved from a commercial-enterprise curiosity to a serious option for defense connectivity. A private 5G network gives a military organization a dedicated, high-capacity cellular network it owns and controls end to end — the radios, the core, the spectrum, and the subscriber database. This article explains how to design and secure private 5G for military installations: the core architecture, network slicing for mission segregation, spectrum and radio planning, the 5G security model, edge computing integration, and air-gapped operation.

The relevant deployment pattern is not nationwide mobile coverage. It is bounded, high-density connectivity within an installation — a forward operating base, a port, an airfield, a logistics hub, a training range — where a large number of sensors, vehicles, handsets, and IoT devices need reliable, low-latency, high-bandwidth links that commercial carriers cannot provide securely. Private 5G fills that gap as a fixed or semi-fixed infrastructure layer that integrates with the installation's zero-trust architecture and edge cloud.

Why private 5G for defense

The case for private 5G in defense rests on control and determinism. A commercial carrier network is shared infrastructure: its capacity is contended by civilian subscribers, its coverage is optimized for population density rather than mission geography, and its core is operated by a third party whose priorities, lawful-intercept obligations, and resilience are outside military control. In a contingency, commercial networks may be congested, jammed, degraded, or simply switched off. A private network removes that dependency entirely.

Dedicated spectrum control means the organization knows exactly what is transmitting in its band and can manage interference, deconfliction, and emission control on its own terms. Deterministic latency is the second driver: ultra-reliable low-latency configurations deliver sub-10-millisecond round trips, which matters for C2 signaling, remote control of platforms, and sensor-to-shooter loops where jitter and tail latency are unacceptable.

Compared to tactical radio, private 5G offers far higher bandwidth and device density — hundreds of high-definition ISR feeds and thousands of IoT sensors on one network — but it is fixed infrastructure, not a maneuver waveform. Compared to Wi-Fi, 5G provides carrier-grade mobility, scheduled (not contended) air-interface access, native QoS, SIM-based authentication, and a coverage footprint Wi-Fi cannot match. For a fixed installation that needs both capacity and assured access, private 5G is the right tool.

5G core architecture for military deployment

The first architectural decision is standalone (SA) versus non-standalone (NSA). NSA reuses a 4G LTE core (the EPC) and anchors the 5G radio to an existing LTE control plane — quick to deploy but it inherits LTE's security limitations and cannot deliver the full 5G feature set. SA uses a native 5G core (the 5GC) with a service-based architecture. For defense, SA is the correct target: only SA supports network slicing, URLLC, the improved 5G authentication model, and subscriber-identity concealment. NSA is at best a transitional step.

The 5GC separates the control plane from the user plane (CUPS — Control and User Plane Separation). The control-plane functions (AMF for access and mobility, SMF for sessions, AUSF for authentication, UDM for subscriber data, NRF for service discovery) decide policy; the user-plane function (UPF) forwards the actual traffic. This separation lets the operator place the UPF close to where traffic is consumed — at the edge, beside the radios — while keeping control functions centralized, which is exactly what low-latency edge processing requires.

A defense private 5G core should be containerized and run on-premise. Open-source 5G core projects such as Open5GS and Magma demonstrate that a full 5GC can run as containers on a Kubernetes cluster in the installation's data center, or on a ruggedized edge server in the field. On-premise hosting keeps the entire core — and every byte of subscriber and traffic data — on infrastructure the organization physically controls, which is the foundational requirement for classified deployments.

Network slicing for mission segregation

Network slicing partitions one physical 5G network into multiple logical networks, each with independent performance and isolation. The 5G standard defines three slice service types. Enhanced mobile broadband (eMBB) maximizes throughput for high-bandwidth traffic. Ultra-reliable low-latency communication (URLLC) guarantees low latency and high reliability for time-critical control. Massive machine-type communication (mMTC) supports very large numbers of low-rate devices. These map cleanly onto defense traffic classes.

In a military installation, slicing isolates traffic by mission and sensitivity. ISR video runs on a dedicated eMBB slice sized for sustained high throughput. C2 signaling runs on a URLLC slice with a guaranteed latency budget so command traffic is never starved by bulk video. Logistics and base-infrastructure IoT — environmental sensors, asset trackers, access control — runs on an mMTC slice tuned for device density rather than per-device bandwidth.

Each slice carries its own QoS profile and, critically, its own security boundary. Per-slice encryption and isolation mean a compromise or saturation in one slice does not bleed into the others: an overloaded ISR slice cannot delay C2 traffic, and a compromised IoT device on the mMTC slice has no path to the C2 slice. Slice isolation is enforced in both the RAN scheduler and the core, and slice-selection policy is bound to subscriber credentials so a device is admitted only to the slices its mission role authorizes.

Spectrum and RAN considerations

Spectrum is the gating constraint. In the United States, the Citizens Broadband Radio Service (CBRS) at 3.5 GHz provides shared access governed by a Spectrum Access System and is widely used for private networks. Globally, the 5G n78 band (3.3–3.8 GHz) is the dominant mid-band, balancing coverage and capacity, and several nations license dedicated local private-network spectrum within it — Germany's 3.7–3.8 GHz local-licensing scheme is a well-known example. Every deployment must coordinate with the national spectrum authority and deconflict with existing military and civilian users.

The radio access network is planned around the coverage area and the most demanding slice. gNodeB placement is driven by RF propagation modeling that accounts for buildings, terrain, and the link budget needed to meet the URLLC latency and reliability target at the cell edge. Indoor and dense areas favor small cells; wide open areas favor macro cells. Mid-band offers a practical compromise between the reach of low band and the capacity of millimeter wave.

For field and expeditionary use, the radio infrastructure must be deployable. Cell-on-wheels and containerized base-station units let an installation stand up coverage rapidly at a new site. A private 5G base station is also an RF emitter with a detectable electromagnetic signature, so RAN planning is not only about coverage — it must fit the installation's emission control (EMCON) posture, with the ability to reduce power, shape coverage, or shut down emitters when the threat environment requires.

Security architecture

5G's security model is a major improvement over earlier generations, and a private deployment lets the operator own all of it. The permanent subscriber identity (SUPI — Subscription Permanent Identifier) is never sent in the clear over the air. Instead the device encrypts it into a SUCI (Subscription Concealed Identifier) using the home network's public key, defeating the IMSI-catcher tracking attacks that plagued 2G/3G/4G.

Mutual authentication uses 5G-AKA (Authentication and Key Agreement): the device and network authenticate each other, and the resulting key hierarchy protects signaling and user traffic. Credentials live in a SIM or eSIM and in the core's Unified Data Management (UDM) and authentication (AUSF) functions. In a private network the operator runs the entire key-provisioning chain — generating subscriber keys, provisioning SIMs and eSIMs, and operating the UDM — so there is no trust dependency on a commercial carrier's key management.

5G authentication is the first factor, not the whole story. It should integrate with the installation's zero-trust architecture, where 5G-AKA device authentication is augmented by application-layer identity, device posture, and continuous authorization. If the network ever needs to interconnect with another 5G network, the Security Edge Protection Proxy (SEPP) protects inter-network signaling at the roaming boundary; for a fully isolated installation, no SEPP roaming path is exposed at all.

Edge computing integration (MEC)

Multi-access edge computing (MEC) is where private 5G earns its keep for defense. MEC places compute — servers, GPUs, accelerators — at the network edge, colocated with the RAN, so applications run beside the radios rather than in a distant data center. Because CUPS lets the UPF sit at the edge, traffic from a slice can be steered directly into a local MEC application without ever traversing a backhaul link.

The highest-value workload is AI inference at the edge. ISR video from drones and ground sensors can be processed where it lands — object detection, tracking, and classification running on edge GPUs colocated with the gNodeB — so only detections and alerts, not raw multi-gigabit feeds, need to move further. This collapses the sensor-to-decision timeline and removes the dependency on cloud connectivity for time-critical analytics.

The latency benefit is decisive for sensor-to-shooter applications. Round-trip time to a distant cloud can be tens to hundreds of milliseconds; an edge MEC node colocated with the radio keeps the full sensor-process-decide loop within single-digit milliseconds on the URLLC slice. Hosting inference, preprocessing, and fusion at the 5G edge is what turns a private 5G network from a transport pipe into a tactical compute fabric. This pattern aligns directly with tactical edge cloud for disconnected operations.

Air-gapped and disconnected operation

A standalone 5G core needs no internet to function. Every required network function — AMF, SMF, UPF, UDM, AUSF, NRF — can run on local infrastructure, and subscriber authentication resolves entirely against the local UDM database. Devices authenticate, attach, and exchange traffic with zero external dependency. This is what makes private 5G viable for classified enclaves and disconnected forward deployments where internet access is unavailable or prohibited.

Air-gapped operation does impose discipline. The subscriber database and a local certificate authority must be maintained on-site. Software updates for the core and RAN must be handled through a controlled offline process rather than pulled from a vendor cloud. Time synchronization is a frequently overlooked requirement: 5G depends on precise timing, normally from a local GPS-disciplined oscillator or atomic clock rather than internet NTP, and that timing source must itself be resilient against GPS denial.

Resilience and failover round out the design. Core network functions should run with redundancy so the loss of one node does not drop the network, and the architecture should degrade gracefully — a slice or MEC node failing should not take down authentication or C2 connectivity. Throughout, the deployment must respect EMCON: the ability to throttle, shape, or silence emissions is part of operating a network whose own radios are a detectable signature.

Key insight: The most common misconception about private 5G in defense is that it replaces tactical radio. It does not. Private 5G provides high-bandwidth, low-latency connectivity within a bounded coverage area — a forward operating base, a port, an airfield, a training range. It is a fixed or semi-fixed infrastructure layer, not a maneuver communications system. The correct architecture treats private 5G as the high-capacity backbone within installations and tactical radio (MANET) as the mobile extension beyond 5G coverage, with seamless data handover between the two domains at the boundary.

Secure your private 5G infrastructure with quantum-resilient encryption

Corvus QUANTUM provides post-quantum encrypted streaming and zero-trust data protection for private 5G military networks — securing sensor data, C2 traffic, and edge inference across network slices in air-gapped and connected deployments.

Explore Corvus QUANTUM → Book a Briefing

This analysis was prepared by Corvus Intelligence engineers who build mission-critical secure infrastructure and cloud systems for defense and government organizations. Learn about our team →

Frequently Asked Questions

What is a private 5G network and why would a military organization deploy one?

A private 5G network is a dedicated cellular network operated by and for a single organization, using either licensed, shared, or unlicensed spectrum, with all core network functions under the organization's control. For military organizations, the motivation is control and assurance: a private 5G network does not depend on commercial carrier infrastructure that may be unavailable, congested, or compromised in a contingency; it provides deterministic low-latency connectivity (sub-10 ms) required for sensor-to-shooter and C2 applications; and it keeps all network traffic and subscriber data on infrastructure the organization physically controls. Typical deployments cover bounded areas — forward operating bases, ports, airfields, logistics hubs, training ranges — where high-bandwidth connectivity is needed but commercial coverage is inadequate or untrusted.

What is 5G network slicing and how is it used for military mission segregation?

Network slicing partitions a single physical 5G network into multiple logical networks, each with its own performance characteristics and security isolation. The 5G standard defines three slice categories: enhanced mobile broadband (eMBB) for high-bandwidth applications like ISR video, ultra-reliable low-latency communication (URLLC) for time-critical C2 and control applications, and massive machine-type communication (mMTC) for large numbers of low-rate IoT sensors. In a military deployment, slicing isolates traffic by mission and sensitivity: ISR video runs on a dedicated eMBB slice, C2 signaling on a URLLC slice with guaranteed latency, and logistics IoT on an mMTC slice — each with independent QoS guarantees and per-slice encryption so that a compromise or overload in one slice does not affect the others.

What spectrum is used for private 5G military networks?

Private 5G spectrum options vary by country and deployment. In the United States, the Citizens Broadband Radio Service (CBRS) band at 3.5 GHz provides shared spectrum access through a Spectrum Access System, widely used for private networks. The 5G n78 band (3.3–3.8 GHz) is the most common mid-band globally, balancing coverage and capacity. Many nations have allocated dedicated private network spectrum (e.g., Germany's 3.7–3.8 GHz local licensing). For military deployments, the spectrum decision involves coordination with national spectrum authorities, deconfliction with existing military and civilian users, and consideration of the electromagnetic signature — a private 5G base station is an RF emitter that must be managed within the installation's emission control posture.

How does authentication and subscriber security work in a private 5G network?

5G uses the 5G-AKA (Authentication and Key Agreement) protocol for mutual authentication between the subscriber device and the network. Each subscriber identity (SUPI — Subscription Permanent Identifier) is never transmitted in cleartext over the air; instead it is encrypted into a SUCI (Subscription Concealed Identifier) using the network's public key, preventing IMSI-catcher style tracking attacks that plagued earlier cellular generations. Subscriber credentials are stored in a SIM or eSIM and in the network's Unified Data Management (UDM) function. For a private military network, the operator controls the entire key provisioning chain: generating subscriber keys, provisioning SIMs/eSIMs, and managing the UDM — eliminating the trust dependency on a commercial carrier's key management that exists in public networks.

Can a private 5G network operate fully air-gapped from the internet?

Yes. A standalone (SA) 5G core hosting all required network functions — AMF (access and mobility management), SMF (session management), UPF (user plane), UDM (subscriber data), AUSF (authentication) — can run entirely on local infrastructure with no internet connectivity. Subscriber authentication uses the local UDM database, so devices authenticate and connect without any external dependency. The main considerations for air-gapped operation are: maintaining the subscriber database and certificate authority locally, handling software updates through a controlled offline process, and time synchronization (5G requires precise timing, typically from a local GPS-disciplined or atomic clock source rather than internet NTP). This makes private 5G suitable for classified enclaves and disconnected forward deployments where internet connectivity is unavailable or prohibited.