We developed an AI-assisted zero-trust control system at low capital expenditure to retrofit brownfield Ethernet environments without disruptive hardware upgrades or costly software-defined networking migration. Legacy network infrastructures in small and medium-sized enterprises (SMEs) lack the flexibility and programmability required by modern zero-trust architectures, creating a persistent security gap between static Layer- 1 deployments and dynamic cyber threats. The developed system addresses this gap through a modular architecture that integrates genetic-algorithm-based virtual local area network (VLAN) optimization, large language model-guided firewall rule synthesis, threatintelligence- driven policy automation, and telemetry-triggered adaptive isolation. Network assets are enumerated and evaluated through a risk-aware clustering model to enable microsegmentation that aligns with the principle of least privilege. Optimized segmentation outputs are translated into pfSense firewall policies through structured prompt engineering and dual-stage validation, ensuring syntactic correctness and semantic consistency. A retrieval-augmented generation pipeline connects live telemetry with historical vulnerability intelligence, enabling rapid policy adjustments and automated containment responses. The system operates as an overlay on existing managed switches, orchestrating configuration changes through standards-compliant interfaces such as simple network management protocol and network configuration protocol. Experimental evaluation in a representative SME testbed demonstrates substantial improvements in segmentation granularity, refining seven flat subnets into thirty-four purpose-specific VLANs. Compliance scores improved significantly, with the International Organization for Standardization/International Electrotechnical Commission 27001 rising from 62.3 to 94.7% and the National Institute of Standards and Technology Cybersecurity Framework alignment increasing from 58.9 to 91.2%. All 851 automatically generated firewall rules passed dual-agent validation, ensuring reliable enforcement and enhanced auditability. The results indicate that the system developed provides an operationally feasible pathway for legacy networks to achieve zero-trust segmentation with minimal cost and disruption. Future extensions will explore adaptive learning mechanisms and hybrid cloud support to further enhance scalability and contextual responsiveness.
Loading....