Back to All Scenarios
PASSEDnetwork / network_segmentation_bypass
Network Segmentation Bypass — Unauthorized Cross-VLAN Traffic
A misconfigured ACL on the layer 3 switch allows traffic from the guest VLAN to reach the server VLAN, bypassing network segmentation. The IDS detects lateral scanning from a compromised guest device targeting internal servers.
Pattern
FIREWALL_RULE_BLOCK
Severity
CRITICAL
Confidence
85%
Remediation
Auto-Heal
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | FIREWALL_RULE_BLOCK | FIREWALL_RULE_BLOCK | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 42 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Auto-Heal — Corax resolves autonomously |
Scenario Conditions
Guest VLAN 50 should be isolated to internet-only. Server VLAN 100 contains PCI-scoped systems. ACL on inter-VLAN routing was removed during troubleshooting. IDS detecting port scans from guest subnet. PCI compliance at risk.
Injected Error Messages (3)
Firewall rule violation detected — ACL GUEST-TO-SERVER-DENY missing from VLAN 50 interface, firewall rule permitting guest-to-server traffic was removed, unauthorized cross-VLAN routing active between VLAN 50 and VLAN 100
IDS alert: lateral scanning from guest VLAN — source 10.50.0.47 scanning 10.100.0.0/24 on ports 22,445,3389,1433, firewall rule bypass detected, 2,400 connection attempts in 5 minutes, PCI segment exposed
Unauthorized access attempts on PCI servers — firewall rule not blocking guest VLAN traffic, failed login attempts from 10.50.0.47 on SSH and RDP, network segmentation completely bypassed
Neural Engine Root Cause Analysis
The critical Access Control List (ACL) rule 'GUEST-TO-SERVER-DENY' has been removed from VLAN 50 interface on core switch core-sw1, creating a serious security vulnerability. This missing firewall rule is now permitting unauthorized cross-VLAN routing between the guest network (VLAN 50) and server network (VLAN 100), potentially allowing guest users to access internal server resources. The 16 correlated incidents suggest this ACL removal has triggered widespread connectivity issues or security violations across the network infrastructure.
Remediation Plan
1. Immediately restore the missing ACL 'GUEST-TO-SERVER-DENY' to VLAN 50 interface on core-sw1 via SNMP configuration push. 2. Verify ACL is properly applied and denying guest-to-server traffic. 3. Audit recent configuration changes to determine how/when the ACL was removed. 4. Check for any active unauthorized connections between VLAN 50 and VLAN 100 and terminate them. 5. Review and strengthen change management processes to prevent unauthorized ACL modifications. 6. Monitor correlated incidents to ensure they resolve once ACL is restored.
Tested: 2026-03-30Monitors: 3 | Incidents: 3Test ID: cmncjpt1f03lpobqe0oyfw110