Low-Capital Expenditure AI-Assisted Zero-Trust Control Plane for Brownfield Ethernet Environments ^†

Abstract

We developed an AI-assisted zero-trust control system at low capital expenditure to retrofit brownfield Ethernet environments without disruptive hardware upgrades or costly software-defined networking migration. Legacy network infrastructures in small and medium-sized enterprises (SMEs) lack the flexibility and programmability required by modern zero-trust architectures, creating a persistent security gap between static Layer-1 deployments and dynamic cyber threats. The developed system addresses this gap through a modular architecture that integrates genetic-algorithm-based virtual local area network (VLAN) optimization, large language model-guided firewall rule synthesis, threat-intelligence-driven policy automation, and telemetry-triggered adaptive isolation. Network assets are enumerated and evaluated through a risk-aware clustering model to enable micro-segmentation that aligns with the principle of least privilege. Optimized segmentation outputs are translated into pfSense firewall policies through structured prompt engineering and dual-stage validation, ensuring syntactic correctness and semantic consistency. A retrieval-augmented generation pipeline connects live telemetry with historical vulnerability intelligence, enabling rapid policy adjustments and automated containment responses. The system operates as an overlay on existing managed switches, orchestrating configuration changes through standards-compliant interfaces such as simple network management protocol and network configuration protocol. Experimental evaluation in a representative SME testbed demonstrates substantial improvements in segmentation granularity, refining seven flat subnets into thirty-four purpose-specific VLANs. Compliance scores improved significantly, with the International Organization for Standardization/International Electrotechnical Commission 27001 rising from 62.3 to 94.7% and the National Institute of Standards and Technology Cybersecurity Framework alignment increasing from 58.9 to 91.2%. All 851 automatically generated firewall rules passed dual-agent validation, ensuring reliable enforcement and enhanced auditability. The results indicate that the system developed provides an operationally feasible pathway for legacy networks to achieve zero-trust segmentation with minimal cost and disruption. Future extensions will explore adaptive learning mechanisms and hybrid cloud support to further enhance scalability and contextual responsiveness.

1. Introduction

Legacy Ethernet infrastructure, known as brownfield networks, remains the dominant physical layer in small and medium enterprises (SMEs). Many such networks were cabled a decade or more ago and lack the flexibility demanded by zero-trust security models. Retrofitting cables or replacing switches is often unfeasible due to budget, downtime, or heritage constraints. Brownfield deployments, therefore, face a chronic gap between static Layer-1 realities and dynamic cyber-threat landscapes.

Classical remedies do not close this gap. Static virtual local area networks (VLANs) provide only coarse isolation and rely on error-prone manual procedures [1]. Software-defined networking (SDN) enables fine-grained flow control, yet its specialized hardware and steep learning curve translate into capital and operational costs that most SMEs cannot bear. Meanwhile, the attack surface is expanding. Cloud migration, remote work, and commodity IoTs drive lateral-movement risk beyond what perimeter firewalls can defend. Organizations require a control plane that is programmable, context-aware, and economically viable.

In this study, we developed a modular, cost-conscious, adaptive zero-trust control plane tailored to brownfield Ethernet deployments. The system’s architecture is explicitly designed to ride on the existing copper and commodity managed switches, thus avoiding specialized hardware upgrades or disruptive physical rewiring. At its core, the system combines AI-assisted security operations (SecOps) telemetry with an optimization and policy-generation pipeline. First, telemetry and contextual asset data feed a genetic-algorithm (GA) engine that computes risk-aware Institute of Electrical and Electronics Engineers (IEEE) 802.1Q VLAN assignments. Second, the resulting segmentation context is translated into pfSense firewall policies by a large language model (LLM) guided through structured prompt engineering and hardened by dual-stage validation.

These components execute within a closed-loop feedback regime in which tightly coupled stages, which are telemetry ingestion, VLAN optimization, rule synthesis, verification, and enforcement, are orchestrated over standards-compliant south-bound interfaces (simple network management protocol (SNMP), Network Configuration Protocol/Representational State Transfer (NETCONF/REST)). Continuous injection of threat intelligence and runtime alerts allows the control plane to adapt policy state without manual intervention, aligning with zero-trust principles of least privilege and explicit, context-driven access. Since the system overlays rather than replaces the installed Ethernet fabric, it offers a low capital expenditure (CapEx) and operationally tractable alternative to full SDN migration. This enables progressive micro-segmentation, breaking down traditional broad, functionally defined subnets into multiple dedicated VLANs, greatly strengthening security posture while preserving required business workflows.

The remainder of this article is structured as follows. Section 2 reviews the related works. Section 3 describes the proposed methodology and design in detail. Section 4 reports and discusses the experimental results. Finally, Section 5 concludes the study and outlines directions for future research.

2. Background and Related Work

Brownfield networks continue to anchor connectivity in SMEs because rewiring or wholesale equipment replacement is cost-prohibitive and operationally risky [2,3]. Yet these static Layer-1 topologies are colliding with an escalating threat landscape marked by cloud workload sprawl, ubiquitous IoT endpoints, and supply-chain-driven attacks, all of which enlarge the lateral-movement surface that perimeter firewalls were never designed to police [4,5]. The conventional remedies, such as logical segmentation with port-based or IEEE 802.1Q VLANs, reduce broadcast domains but are chronically undermined by decades of undocumented modification, permissive “any-any” rules, and configuration drift, creating a false sense of isolation while leaving exploitation paths wide open [6]. Micro-segmentation platforms promise finer controls, yet they require extensive flow discovery, inline enforcement points, and policy sets that scale into tens of thousands of objects, which is an operational burden that few SMEs can sustain [7]. SDN offers controller-based programmability and zero-trust compatible flow steering, but brownfield adoption typically demands a disruptive “rip-and-replace” cycle plus high capital outlay for SDN-capable switches and redundant controllers. Techno-economic analyses consistently flag CapEx as the dominant barrier to SDN retrofits in legacy plants [8,9].

Against this backdrop, security architects are converging on overlay approaches that inject adaptive controls without disturbing the physical fabric. The conceptual pivot is provided by Zero Trust Architecture (ZTA), which dispenses with location-based trust and demands continuous, identity-centric verification [10,11]. The National Institute of Standards and Technology (NIST)’s canonical model frames this verification loop around a policy engine fed by rich telemetry and threat intelligence, implicitly inviting automation-friendly integration [12]. Cloud-native security information and event management (SIEM)/security orchestration, automation, and response (SOAR) platforms have risen to a mandate. New-generation services or products provide elastic log ingestion, built-in user-behavior and entity-behavior analytics, and playbook automation that decreases the dwell time of intrusions [13]. When augmented with machine-learning analytics and retrieval-augmented generation (RAG), these platforms can translate high-level intent and contextual asset data into actionable responses that close the semantic gap between zero-trust policy objectives and low-level device configurations [14,15,16]. LLMs synthesize firewall rules directly from natural-language constraints, while genetic algorithms excel at optimizing segmentation layouts under complex risk functions [17]. Collectively, these advances motivate an overlay security architecture that couples AI-assisted SecOps with legacy Layer-2 automation, offering SMEs a reproducible, low-CapEx pathway from flat networks to dynamically protected zones without the disruptive economics of full SDN migration.

The results indicate that there is an urgent need for a solution that reuses installed Ethernet plants, automates least-privilege segmentation with minimal human input, and embeds policy enforcement that drives threat detection.

3. Methodology and System Design

We developed an adaptive zero-trust control plane that overlays existing managed switches, avoiding specialized hardware upgrades. The modular architecture incorporates four rigorously integrated modules, as shown in Figure 1, forming a continuous closed-loop feedback system.

3.1. Mudule 1: Asset and Rule-Driven VLAN Optimizer

Asset enumeration is carried out using a standardized JavaScript object notation (JSON)-based schema that captures each device’s identification (ID), Internet Protocol (IP) address, functional role, and organizational mapping. This structured model supports validation, extensibility, and cross-source correlation, enabling scalability across diverse network architectures. Topology is derived automatically by analyzing link layer discovery protocol (LLDP) data to construct a Layer-2 connectivity graph, which is reconciled with data from systems like NetBox [18]. This ensures the accurate detection of cable drift and the inclusion of inactive links, forming a reliable foundation for segmentation and policy generation.

To quantify the potential risks associated with traffic between any two assets i and j, a multidimensional pairwise risk function is defined as follows.

$$Risk\left(i,j\right)=\left(R_{base}+R_{adj}\right)\times M_{sec}\times M_{comp}$$

(1)

Here, each factor captures a distinct dimension of security exposure, including functional criticality, institutional and data-context adjustments, security posture, and regulatory/compliance obligations. The model incorporates base risk (0.1–1.0), contextual adjustments, posture-based multipliers, and regulatory penalties aligned with frameworks such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 [19]. A floor value of 0.05 ensures topological coverage. This extensible formulation enables risk-aware VLAN clustering adaptable across enterprise sectors.

GA employs integer encoding, where each chromosome represents a complete VLAN assignment across assets, and a post-decoding repair operator ensures feasibility. To improve diversity and prevent premature convergence, initial populations include four heuristic seed classes: legacy mapping, institutional units, security tiers, and policy-constrained random assignments. Candidate solutions are evaluated using a composite cost function. The objective of GA is to identify the solution that minimizes this cost function, which is defined as follows.

$$Cost=W_r·{Risk}_{total}+W_h·P_{hard}+W_b·P_{business}-W_p·B_{practice}-W_m·B_{mgmt}$$

(2)

Here, ${Risk}_{total}$=$\sum v\in VLANs\sum (i,j)\in vRisk(i,j)$ sums the risk scores within each VLAN; $P_{hard}$ penalizes violations of strict constraints (e.g., compliance); $P_{business}$ penalizes configurations that disrupt necessary communications; $B_{practice}$ rewards adherence to best practices like least privilege; and $B_{mgmt}$ rewards reduced administrative overhead. Weights ($W_r,W_h,W_b,W_p,W_m$) allow for customization based on institutional priorities, with all weights set to 1.0 during our experiments.

The evolutionary design is optimized for VLAN segmentation, using tournament selection to balance convergence and diversity. Single-point crossover forms offspring by swapping chromosome segments, while mutation follows a heuristic distribution in which 40% group similar assets, 30% reduce VLAN count, 20% create new VLANs, and 10% apply random changes. Parameters were tuned to ensure stability with a population size of 50, up to 500 generations, a crossover probability of 0.8, and a mutation probability of 0.15. This configuration consistently achieves robust convergence across heterogeneous topologies and is used as the default in this study.

3.2. Mudule 2: AI-Guided Firewall Rule Generation

Building on the VLAN optimization, this study proposes an automated firewall policy generation mechanism to enforce least-privilege access under zero-trust principles. The fine-grained service communication matrix (SCM), as shown in

Table 1. Data of SCM.

Source _vlan

Destination _vlan

Source _role

Destination _role

Service _type

port

bidirectional

description

, represents all required inter-VLAN service flows and serves as the authoritative input for pfSense rule synthesis. Dynamic subnet sizing ensures efficient address utilization by tailoring each VLAN’s prefix length to endpoint count plus buffer capacity. The SCM population follows a layered authorization model that includes infrastructure services, cross-departmental flows, administrative access, and a global default-deny policy. This ensures only essential communications are permitted. The resulting SCM enables deterministic, auditable, and automation-ready firewall rule deployment.

High-fidelity pfSense rule generation is achieved using GPT-4o, guided by prompt engineering and a RAG framework grounded in firewall best practices [20]. A two-tier prompt strategy is used. A persistent system prompt embeds expertise in pfSense syntax, zero-trust principles, and compliance, while dynamic per-task prompts encode VLAN roles, protocols, ports, and policy modifiers. The results follow a canonical JSON schema through an automated validation process to ensure no errors before deployment.

To address LLM hallucinations and semantic drift, a Dual-Agent validation mechanism is used. Stage 1 performs syntactic validation of schema, entity formats, and field normalization. Failing rules are auto-corrected and re-prompted. Stage 2 involves conducting behavioral testing in a pfSense sandbox, verifying traffic control semantics, and detecting conflicts. A three-tier remediation process that includes repair, simplification, and fallback deployment ensures only validated, secure rules are pushed to production, maintaining operational safety and auditability.

3.3. Module 3: Threat-Intel-Driven Rule Optimization

To enable proactive vulnerability management in brownfield networks, a daily threat-intelligence (TI) pipeline is implemented, incorporating three key stages. First, the system collects and normalizes advisories from sources such as National Vulnerability Database (NVD), Common Vulnerabilities and Exposures (CVE) feeds, and MITRE Common Weakness Enumeration (CWE), converting them into a unified format containing CVE IDs, CVSS scores, affected products, and mitigation data. Second, asset correlations are performed by matching these advisories against a local asset catalog using Common platform enumeration. Matches are annotated with severity and exploitability context. Third, for each confirmed vulnerability, GPT-4o generates a temporary pfSense rule by combining CVE-specific and local network contexts. All rules are validated through a Dual-Agent validation mechanism described above to ensure correctness and security. This pipeline enables automated, zero-trust-aligned mitigation of threats with minimal delay.

3.4. Module 4: Telemetry-Triggered Adaptive Isolation

Reactive defense against emerging threats is enabled by a closed-loop RAG mechanism that connects live events with historical threat intelligence and automated responses. A local vector database stores embedded CVE texts, vendor bulletins, and incident reports. When a security event occurs, key indicators (e.g., IP, port, intrusion detection system hits) are used to retrieve relevant intelligence. This context is passed to GPT-4o, which generates a temporary pfSense rule and analyst guidance. All outputs are validated before deployment, and confirmed responses update the risk model to support dynamic VLAN re-segmentation, thereby creating a self-reinforcing zero-trust posture.

For high-confidence alerts, automated containment is triggered. Affected devices are quarantined at Layer 2 and isolated via high-priority firewall rules. Configuration changes are executed over NETCONF/REST or SNMPv3 with full audit logging. Incident metadata is embedded into the knowledge base to enhance future detection accuracy and reduce false positives.

These actions provide a rapid, vendor-agnostic containment capability coupled with a learning feedback channel that continually sharpens detection fidelity and response precision.

4. Results and Discussion

4.1. Experimental Scenario

The experimental testbed is shown in Figure 2. It is a typical SME network with diverse host roles and trust boundaries, comprising 53 endpoints, including 18 workstations across six departments, 4 mission-critical servers, 16 voice over internet protocol (VoIP) phones, 5 wireless access devices, 3 guest endpoints, and 7 Internet of Things (IoT) sensors, respectively. This heterogeneous mix supports testing of both user-centric and device-centric traffic segmentation. Initially, the network used a flat, functionally partitioned structure with seven/24 subnets following the RFC1918 addressing. The physical topology follows a core-access hierarchy with one core switch linked to five access switches, reflecting typical brownfield deployments. Logical-to-physical mappings are cataloged to support VLAN optimization and isolation validation without new hardware.

4.2. GA Optimization

Using the proposed GA, we observed robust convergence to an intricate network segmentation problem. As shown in Figure 3, the top plot illustrates the convergence behavior of the GA in terms of fitness scores across generations, showing rapid improvement within the first 50 generations and convergence at generation 120–150. The bottom plot shows population diversity declining as the algorithm converges, with a final diversity score of 0.160, indicating the effective exploitation of the search space after sufficient exploration. This early, steep descent indicates a well-structured optimization landscape and shows that the evolutionary operators designed in this study can efficiently exploit directional cues in the search space.

After optimization, the network is markedly improved. The original seven broad functional subnets are refined into 34 purpose-specific VLANs listed in

Table 2. Results of refined VLANs.

VLAN	Asset_id	VLAN	Asset_id	VLAN	Asset_id	VLAN	Asset_id
10	UPS-01	14	ACC-SW-03, FW-01	24	ACC-SW-05, WLC-01	25	ACC-SW-01, ACC-SW-02
27	CORE-SW-01, ACC-SW-04	106	WEB-01	113	FS-01	127	DC-01
135	APP-01	300	PHONE-CONF-01, PHONE-CONF-02	306	PHONE-EXEC-01, PHONE-EXEC-02, WIFI-TABLET-01, PRINTER-03	310	PHONE-ENG-01, PHONE-ENG-02
320	SALES-WS-01, SALES-WS-02, SALES-WS-03, SALES-WS-04	324	ENG-WS-03	330	OPS-WS-01, OPS-WS-02, OPS-WS-03	336	ENG-WS-04
340	IT-WS-01, IT-WS-02	350	EXEC-WS-01, EXEC-WS-03	360	REC-WS-01, PHONE-REC-01	367	ENG-WS-05
372	ENG-WS-01	384	ENG-WS-06	389	ENG-WS-02, EXEC-WS-02	623	GUEST-LAPTOP-01
648	GUEST-TABLET-01	701	WIFI-LAPTOP-01	706	PHONE-ENG-03, PRINTER-02	708	PHONE-OPS-01, PHONE-OPS-02
718	PHONE-ENG-04, WIFI-PHONE-01	719	PRINTER-01	725	CAMERA-01, CAMERA-02	727	GUEST-PHONE-01, HVAC-01
736	PHONE-SALES-01, PHONE-SALES-02, PHONE-SALES-03, WIFI-LAPTOP-02, WIFI-PHONE-02			746	PHONE-IT-01, PHONE-IT-02

. This fine-grained micro-segmentation substantially strengthens the overall security posture while preserving business feasibility.

In the management plane, the core switch, firewall, and other key infrastructure components were placed in a dedicated management VLAN, isolating management traffic from production traffic. This reflects established infrastructure-security best practices and improves ongoing operations. In the server tier, a service-oriented isolation policy was achieved.

Compliance outcomes improve across multiple cybersecurity frameworks. The ISO/IEC 27001 [19] compliance score rose from 62.3 to 94.7%, while alignment with the NIST Cybersecurity Framework increased from 58.9 to 91.2%. These gains demonstrate that the framework proposed in this study provides an effective technical pathway toward a mature ZTA.

4.3. Evaluation of AI-Guided Firewall Rule Generation

The generated firewall rules prioritize core infrastructure services such as Domain Name System, Dynamic Host Configuration Protocol, Network Time Protocol, and Lightweight Directory Access Protocol, ensuring baseline network functionality. VoIP traffic is supported through session initiation protocol and real-time transport protocol, with bidirectional rules balancing performance and security. Administrative services such as SNMP and Secure Shell are restricted to authorized interfaces, while zero-trust isolation policies govern guest access, IoT communications, and enforce a default-deny baseline.

All 851 generated rules conform to the pfSense syntax, with complete metadata fields and standardized naming for automated deployment and lifecycle management. Dual-Agent validation confirms 100% rule acceptance, although 188 warnings that mostly lacked logging on key services highlighted the importance of validation for audit readiness. Without this layer, critical telemetry could have been missed. Ultimately, the policy set aligns with business needs, enforces least-privilege access, enables thorough auditability, and significantly reduces lateral attack surfaces.

5. Conclusions

We developed a modular, AI-assisted zero-trust control plane for brownfield Ethernet networks, offering a cost-effective alternative to SDN retrofits. The architecture integrates a GA-based VLAN optimizer, LLM-driven firewall rule generation, TI-guided policy synthesis, and telemetry-triggered isolation. By automating policy enforcement through standards-compliant interfaces, the system bridges high-level zero-trust intent with low-level configurations. Deployment results on an SME testbed demonstrate that the original seven subnets are refined into 34 purpose-specific VLANs, improving lateral movement containment. ISO/IEC 27001 [19] compliance is up from 62.3 to 94.7%, and NIST Cybersecurity Framework alignment has risen from 58.9% to 91.2%. All 851 AI-generated firewall rules pass Dual-Agent validation, with over 90% of warnings linked to enhanced logging and not syntax errors, highlighting operational rigor.

The system needs to be evaluated for long-term deployment stability by integrating adaptive learning for evolving threats, extending support to hybrid cloud/container environments, and developing formal policy compliance verification. These directions aim to enhance the architecture’s scalability, resilience, and contextual awareness of SMEs.