Secure railway signalling network with dual-firewall protection, VLAN segmentation, and centralized SIEM monitoring across distributed stations and operations centers. Traffic flows from station-level Huawei switches through a 10G WAN backbone to the Ahmedabad OCC, where Palo Alto and FortiGate firewalls enforce defense-in-depth before reaching TMS, EAM, and diagnostic servers. iptables hardening on edge PCs restricts FIU communication to UDP-only, while Secure Log Forwarding (Syslog/TLS) and ELK/Graylog SIEM analysis provide real-time threat detection and compliance logging. This architecture demonstrates least-privilege access, network segmentation by function (Signalling, TMS, Diagnostics, NTP, DCU VLANs), and hardened edge computing for critical infrastructure. Fork this diagram on Diagrams.so to customize firewall rules, add redundancy, or adapt for your own railway or utility SCADA deployment. The design balances operational availability with security isolation, making it ideal for safety-critical systems requiring audit trails and rapid incident response.