This post discusses how SD-WAN technology provides rail operators with the software tools they need to overcome these challenges.
The capabilities of 4G/LTE, and even better, 5G, have meant that rolling stock, even when in service and travelling at high speed, can be brought into a train operator’s WAN network. The WAN will connect one or more LANs in the rail control centre to a LAN in each rail carriage. This real-time
connectivity means that each carriage can provide online services for all its occupants – from ticketing services, travel information and Wi-Fi connections for passengers, to IoT-based maintenance data collection for engineering staff.
However, this means that each carriage must have a router to convert between 4G/LTE/5G ground to train communications, and the Wi-Fi and Ethernet networks on board. For the train operator, this equates to large numbers of routers, probably widely and unpredictably dispersed around the country, as dictated by all the schedules on the live rail routes.
In traditional networks, each router has to be set up by a network engineer or administrator who writes rules and policies to control and manage the data flow and routes. This process, which is often manual, can be time-consuming and prone to errors, especially when engineers have to locate and visit each carriage.
The SD-WAN software solution
Fortunately, a solution exists, in the form of software-defined wide area network (SD-WAN) technology. SD-WAN separates the control and management processes from the underlying network hardware in each router, rendering them as software that can easily be configured and deployed remotely. This means that SD-WAN-enabled routers can be installed into rolling stock by non-IT specialists. On power-up, the appliance joins the network and connects to the central SD-WAN controller, which provisions and configures the new equipment and brings it online – zero touch provisioning. Administrators within the operations centre can now write rules and policies, and distribute them out to the entire rolling stock simultaneously. Changes and upgrades can be managed just as easily.
SD-WAN builds on these fundamental features to offer many other advantages, some of which are particularly useful to rail operators endeavouring to optimise their live rolling stock’s online services. Although the final link to the rolling stock must inevitably be a 4G/LTE or 5G wireless link, multiple services nearer to the operations centre may be in use – MPLS for performance and privacy, and broadband for lower cost and wider availability, for example. All of these services can be combined into the SD-WAN so that users can achieve the best cost/performance balance for each application.
Dynamic path selection, for example, allows automatic and selective routing of traffic onto one LAN link or another, depending on network conditions or traffic characteristics. Packets may be steered onto a particular link because another path is down or not working very well, or to balance network traffic across all available links. These characteristics are important in maintaining delivery quality of service (QoS) to a rapidly travelling railway carriage moving from one 5G ground transmitter’s range to another’s. Additionally, each carriage router may have more than one WWAN connection – 4G/LTE and 5G for example – and traffic can be directed through whichever channel is currently performing best.
SD-WAN technology can also combine policy-based management with dynamic path selection to further boost QoS. Centrally – generated policies can choose paths for individual applications depending on their priorities and bandwidth requirements. For example, video and VoIP applications could be given transmission priority and routed onto low-latency paths. Conversely, cost-savings can be made by sending file backups across a broadband internet connection.
Scalable security policies can be established and distributed across the entire WAN, then maintained and enforced centrally. Malicious traffic can be filtered and blocked without affecting the rest of the
network’s operations. Suspicious activity can be automatically redirected and reported to the administrators. New security policies can be created, controlled and deployed at scale as new applications are provisioned across the entire rail network.
Virtual firewalls can be deployed to manage malicious threats or malware in real time, and then deactivated once the threat has been neutralised. Virtual firewalls can also be used to restrict access to applications and websites for passengers and staff as appropriate.
However, the need for ever more advanced network security is being driven by an unfortunate coincidence of two factors: a financially-motivated shift from private MPLS WAN services to lower cost, but less secure Internet routing is occurring, while state-sponsored security attacks, malware and advanced multi-vector threats are increasing.
One response available to SD-WAN operators is to use third-generation firewall technology, known as next-generation firewall or NGFW. This combines a traditional firewall with other network device filtering functions, such as an application firewall using in-line deep packet inspection (DPI), and an intrusion prevention system (IPS). Other techniques might also be employed, such as TLS/SSL encrypted traffic inspection, website filtering, QoS/bandwidth management, antivirus inspection and third-party identity management integration – LDAP, RADIUS, and Active Directory.
NGFWs offer administrators a deeper awareness of and control over individual applications, along with deeper inspection capabilities by the firewall. Administrators can create very granular “allow/deny” rules for controlling use of websites and applications in the network.
Network traffic analysis
Migrating from a traditional WAN to an SD-WAN allows rail operators to manage complex, distributed and often cloud-based applications efficiently. While this integration facilitates a better user experience for the train passengers and staff, it generates more connections and traffic. A train operator may connect to a variety of third-party services, for example, or be using a distributed hosting architecture, with multiple components running in numerous clouds.
However, an SD-WAN’s complexity means that end-to-end network monitoring becomes essential; it is the only way of ensuring that all the network’s complex configurations are performing as expected. This monitoring can be performed using network traffic analysis (NTA) from a single pane which gives deep visibility into the entire SD-WAN network.
NTA should include automated collection of SD-WAN data from across all transport circuits, network services and endpoints, including network flow data. This enables automated data analysis which can alert network administrators to complex networking trends or anomalies that would be hard to detect manually.
Administrators should also be able to analyze the performance and security of individual network components (such as VPNs, VPCs, specific types of services or a collection of endpoints) in addition to monitoring the SD-WAN as a whole. License and inventory management, and device maintenance, should also be possible.
Teldat is ideally positioned to provide comprehensive SD-WAN solutions for rolling stock, as they provide both the hardware and software components. Our routers and access points support 4G/LTE, 5G and Wi-Fi 6, while their SD-WAN solution is a complete CNM suite, covering remote device and network management, analysis, and security.