Railroads are increasingly using Communication-Based Train Control (CBTC) technology to improve service capacity and operating efficiency. CBTC is a mission-critical system under which train monitoring and train control are integrated into a single unified system through data links between vehicles, central processors, and wayside equipment. Radio over fiber technology provides a flexible and efficient solution for the Data Communication System (DCS) which needs to ensure integrity and reliability of message delivery in a transparent manner for the train control functions. A Security Device (SD) is defined as a network entity located between the railroad administration’s (the customer) trusted wired network and the non-trusted portion of the DCS network including the radio-based segment, which runs on a customized piece of hardware with a secure operating system and provides secure gateway functionality. This paper puts forward a network architecture and SD software platform design which meets the requirements of a typical CBTC system. The IPSEC protocol used by the SD for data protection renders authentication service through X.509 certificates. A network setup is put together as the proof-of-concept for the presented design proposal and performance assessment is conducted through experimental studies.