BEFORE THE PATENT TRIAL AND APPEAL BOARD SOPHOS …1008 Astaro Security Linux V5 WebAdmin User...
Transcript of BEFORE THE PATENT TRIAL AND APPEAL BOARD SOPHOS …1008 Astaro Security Linux V5 WebAdmin User...
UNITED STATES PATENT AND TRADEMARK OFFICE
BEFORE THE PATENT TRIAL AND APPEAL BOARD
SOPHOS LIMITED AND SOPHOS INC., Petitioners
v.
FORTINET, INC., Patent Owner
U.S. Patent No. 7,966,654
Filing Date: November 22, 2005 Issue Date: June 21, 2011
Title: Computerized System and Method for Policy-Based Content Filtering
Inter Partes Review No.: (Unassigned)
PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 7,966,654
UNDER 35 U.S.C. §§ 311-319 AND 37 C.F.R. §§ 42.1-80, 42.100-123
TABLE OF CONTENTS
Page
-i-
I. COMPLIANCE WITH FORMAL REQUIREMENTS ................................. 1
A. Mandatory Notices Under 37 C.F.R. §§ 42.8(b)(1)-(4) ....................... 1
1. Real Party-In-Interest ................................................................. 1
2. Related Matters .......................................................................... 1
3. Lead and Backup Counsel ......................................................... 1
4. Service Information.................................................................... 2
B. Proof of Service on the Patent Owner .................................................. 2
C. Power of Attorney ................................................................................ 2
D. Standing ................................................................................................ 2
E. Fees ....................................................................................................... 3
II. STATEMENT OF PRECISE RELIEF REQUESTED .................................. 3
III. FULL STATEMENT OF REASONS FOR REQUESTED RELIEF ............ 4
A. Technology Background ...................................................................... 4
B. Summary of the ’654 Patent ................................................................. 4
C. Person of Ordinary Skill in the Art ...................................................... 5
D. Claim Construction .............................................................................. 5
E. Ground 1: Claims 1, 3, 4, 10, 12, 13, 14, 18 and 22 are Obvious under 35 U.S.C. § 103(a) (pre-AIA) in view of Taylor ....................... 6
F. Ground 2: Claims 1, 3, 10, 12, 13, 14 and 22 are Obvious under 35 U.S.C. § 103(a) (pre-AIA) in light of Sonnenberg ....................... 29
G. Ground 3: Claims 19, 20, and 28 are Obvious under 35 U.S.C. § 103(a) (pre-AIA) in light of Taylor in view of Astaro ....................... 50
H. Ground 4: Claims 4, 18-20, and 28 are Obvious under 35 U.S.C. § 103(a) (pre-AIA) in light of Sonnenberg in view of Astaro ................................................................................................. 55
IV. CONCLUSION ............................................................................................. 60
i
EXHIBIT LIST
Exhibit No. Description
1001 U.S. Patent No. 7,966,654 B2
1002 File history of U.S. Patent No. 7,966,654 B2
1003 Fortinet, Inc.’s Answer, Affirmative Defenses, and Counterclaims,
Sophos Ltd. et al v. Fortinet, Inc., No. 14-cv-00100-GMS (D.Del.)
1004 Certificate of Service, Sophos Ltd. et al v. Fortinet, Inc., No. 14-cv-
00100-GMS (D.Del.)
1005 U.S. Patent No. 7,966,654, Infringement Contentions Pursuant to
Section 4(C)
1006 U.S. Patent No. 6,728,885 B1
1007 U.S. Patent No. 7,076,650 B1
1008 Astaro Security Linux V5 WebAdmin User Manual
1009 Declaration of Charles P. Pfleeger
1010 U.S. Patent No. 6,167,445
1011 U.S. Patent No. 6,574,661 B1
1012 U.S. Patent No. 6,606,708 B1
1013 U.S. Patent No. 7,284,267 B1
1014 U.S. Patent No. 7,171,440 B2
ii
Exhibit No. Description
1015 U.S. Patent No. 5,835,726
1016 Computer Networks 4th edition, Andrew S. Tannenbaum, Prentice
Hall, 2003
1017 Security in Computing 3rd edition, Charles P. Pfleeger and Shari
Lawrence Pfleeger, Prentice Hall, 2003
1018 Advanced Programming Techniques, Hughes, C., et al, Wiley, 1978
1019 “A Network Firewall,” Ranum, M., Proceedings of the
International Conference on Systems and Network Security and
Management (SANS-1)”, November 1992
1020 “A Toolkit and Methods for Internet Firewalls,” Ranum, M. and
Avolio, F., Proceedings Usenix Security Symposium, 1994
1021 “Robust TCP Stream Reassembly In the Presence of Adversaries,”
Dharmapurikar, S. and Paxson, V., Proceedings Usenix Security
Symposium, 2005
1022 “RFC 793 Transmission Control Protocol,” Information Sciences
Institute, University of Southern California, September 1981
1023 “Guidelines on Firewalls and Firewall Policy,” NIST [National
Institute of Standards and Technology] Special Publication 800-41,
iii
Exhibit No. Description
Jan 2002
1024 “Six Dumbest Ideas in Computer Security,” Ranum, M., Schneier
on Security Blog, 9 September 2005. https://www.schneier.com/
blog/archives/2005/09/marcus_ranums_t.html
1025 Cybersecurity Operations Handbook, Rittinghouse, J. and
Hancock, W., Elsevier, 2003
1
Real parties in interest Sophos Ltd. and Sophos Inc. hereby petition for inter
partes review of U.S. Patent No. 7,966,654 (the “’654 patent”) (Ex. 1001), under
35 U.S.C. §§ 311-319, 37 C.F.R. §§ 42.1-42.80 and 37 C.F.R. §§ 42.100-42.123.
I. COMPLIANCE WITH FORMAL REQUIREMENTS
A. Mandatory Notices Under 37 C.F.R. §§ 42.8(b)(1)-(4)
1. Real Party-In-Interest
Pursuant to 37 C.F.R. § 42.8(b)(1), Petitioner states that Sophos Ltd. and
Sophos Inc. (“Sophos” or “Petitioner”) are the real party-in-interest.
2. Related Matters
Pursuant to 37 C.F.R. § 42.8(b)(2), Petitioner states that the ’654 patent is
subject to the following civil action: Sophos Ltd. et al v. Fortinet, Inc., No. 14-cv-
00100-GMS (D.Del.). See Exs. 1003-1004.
3. Lead and Backup Counsel
Pursuant to 37 C.F.R. § 42.8(b)(3), Petitioner provides the following
designation of counsel:
Lead Counsel Backup Counsel Gianni Minutoli Reg. No. 41,198 [email protected] Postal and Hand Delivery Address: DLA Piper LLP (US) One Fountain Square 11911 Freedom Drive, Suite 300 Reston, VA 20190-5602 Phone: 703-773-4045
Ryan W. Cobb Reg. No. 64,598 [email protected] Postal and Hand Delivery Address: DLA Piper LLP (US) 2000 University Ave East Palo Alto, CA 94303 Phone: 650-833-2235 Fax: 650-833-2001
2
Fax: 202-799-5125 Harpreet Singh Reg. No. 71,842 [email protected] Postal and Hand Delivery Address: DLA Piper LLP (US) 2000 University Ave East Palo Alto, CA 94303 Phone: 650-833-2191 Fax: 650-687-1191
4. Service Information
Pursuant to 37 C.F.R. § 42.8(b)(4), Petitioner states that service information
for lead and back-up counsel is provided in the designation of lead and back-up
counsel above.
B. Proof of Service on the Patent Owner
As identified in the attached Certificate of Service, a copy of this Petition in
its entirety is being served to the Patent Owner’s attorney of record at the address
listed in the USPTO’s records by overnight courier pursuant to 37 C.F.R. § 42.6.
C. Power of Attorney
Powers of attorney are being filed with designation of counsel in accordance
with 37 C.F.R. § 41.10(b).
D. Standing
In accordance with 37 C.F.R. §42.104(a), Petitioner certifies that the ’645
patent is available for inter partes review and that Petitioner is not barred or
estopped from requesting an inter partes review challenging the patent claims on
3
the grounds identified in this Petition. The ’654 patent was asserted against
Sophos in Fortinet’s counterclaims in connection with Civil Action No. 14-cv-
00100-GMS on March 20, 2014. See Exs. 1003-1004. Under 35 U.S.C. § 315(b),
this inter partes review is timely as it is being filed within 1 year of service of the
counterclaims.
E. Fees
The undersigned authorizes the Director to charge the fee specified by 37
C.F.R. § 42.15(a) and any additional fees that might be due in connection with this
Petition to Deposit Account No. 07-1896.
II. STATEMENT OF PRECISE RELIEF REQUESTED
In accordance with 35 U.S.C. § 311, Petitioner requests cancelation of
claims 1, 3, 4, 10, 12-14, 18, 19, 20, 22, and 28 of the ’654 patent in view of the
following grounds:
A. Ground 1: Claims 1, 3, 4, 10, 12, 13, 14, 18 and 22 are Obvious under 35
U.S.C. § 103(a) (pre-AIA) in view of Taylor (Ex. 1006).
B. Ground 2: Claims 1, 3, 10, 12, 13, 14 and 22 are Obvious under 35 U.S.C. §
103(a) (pre-AIA) in view of Sonnenberg (Ex. 1007).
C. Ground 3: Claims 19, 20 and 28 are Obvious under 35 U.S.C. § 103(a) (pre-
AIA) in light of Taylor in view of Astaro (Ex. 1008).
D. Ground 4: Claims 18-20 and 28 are Obvious under 35 U.S.C. § 103(a) (pre-
4
AIA) in light of Sonnenberg in view of Astaro.
III. FULL STATEMENT OF REASONS FOR REQUESTED RELIEF
A. Technology Background
A firewall is a network security measure that uses an applied rule set, or
policy, to control incoming and outgoing network traffic. Ex. 1009 at ¶ 37. Three
types of firewalls are packet filters, stateful inspection firewalls, and application
gateways. Id. A packet filtering gateway controls access to packets based on
either the packet source address, destination address, or the specific transport
protocol type. Id. Stateful inspection firewalls maintain state information from
one packet to the next in the network stream. Id. The application gateway controls
input, output, and/or access to an application or service. Id. Application firewalls
monitor the content of various network streams and can restrict or prevent access
to the application or service by network traffic that fails to meet the firewall policy.
By utilizing a proxy in the middle of the protocol exchange, the gateway can
screen content transfer to ensure that only acceptable network streams can access
the application or service. Id.
B. Summary of the ’654 Patent
The ’654 patent purports to teach methods and systems for “processing
network content.” Ex. 1001 at 2:20-21. When an “incoming network connection”
is received, the invention “determines the network service protocol” of the network
connection and “identifies a matching policy based on the source network address,
5
the destination network address and the network service protocol.” Id. at 2:24-28.
A configuration scheme is chosen based on the matching policy and the incoming
network traffic is processed according to the configuration scheme. Id. at 2:28-33.
Other aspects of the invention include a “computerized firewall system to
process network traffic associated with an incoming network connection” (Id. at
2:35-36), “a firewall policy for use in connection with a computerized firewall
system” (Id. at 2:47-48), “a configuration database for use in connection with a
computerized firewall system” (Id. at 2:60-61), and “a firewall system for
processing network traffic” (Id. at 3:1-2).
C. Person of Ordinary Skill in the Art
A person of ordinary skill in the art at the time of the alleged invention of
the ’654 patent would have had a bachelor’s degree in computer science or
electrical engineering, or the equivalent thereof, and four years of industry
experience as a network computer system administrator, including working with
network firewalls and other hardware and software appliances. Ex. 1009 at ¶ 12.
D. Claim Construction
Pursuant to 37 C.F.R. § 42.100(b) and 42.204(b)(3), this petition presents
claim analysis in a manner that is consistent with the broadest reasonable
construction in light of the specification. Claim terms are given their ordinary and
accustomed meaning as would be understood by one of ordinary skill in the art,
6
unless the inventor, as a lexicographer, has set forth a special meaning for a term.
Multiform Desiccants, Inc. v. Medzam, Ltd., 133 F.3d 1473 (Fed. Cir. 1998); York
Prods., Inc., v. Central Tractor Farm & Family Ctr., 99 F.3d 1568, 1572 (Fed. Cir.
1996).
In the ’654 patent, the inventor did not act as a lexicographer and did not
provide a special meaning for any of the claim terms. Accordingly, using the
broadest reasonable interpretation standard, the terms should be given their
ordinary and custom meaning as understood by a person of ordinary skill in the art
and consistent with the disclosure. Ex. 1009 at ¶ 43.
Petitioner notes that the claims should be construed using the broadest
reasonable interpretation standard, which is applied for the purposes of inter partes
review. Because the standards of claim interpretation used by the Courts in patent
litigation are different from the claim interpretation standards used by the Office in
claim examination proceedings (including inter partes review), Petitioner reserves
the right to advocate a different claim interpretation in any other forum in
accordance with the claim construction standards applied in such forum.
E. Ground 1: Claims 1, 3, 4, 10, 12, 13, 14, 18 and 22 are Obvious
under 35 U.S.C. § 103(a) (pre-AIA) in view of Taylor.
U.S. Patent No. 6,728,885 to Taylor (hereinafter “Taylor”) (Ex. 1006)
discloses “a firewall includ[ing] a dynamic packet filter which communicates with
7
a proxy. The proxy registers with the dynamic packet filter for notifications of
request to establish new data communication connections through physical
connections between the internal and outside computer networks.” Ex. 1006 at
3:40-47.
The firewall in Taylor further includes various modules used in filtering
incoming packets as depicted in Figure 2 above. The system in Taylor filters
application-level content by “applying a proxy filter at the application layer to all
packets received on a specific connection” and that “packet is eventually
forwarded to proxy 211 to be filtered at the application layer level.” Ex. 1006 at
6:40-44; 11:46-48. The Taylor system also allows users to create “configuration
files” which are used to establish specific filtering rules for the firewall. Ex. 1006
at 3:55-66.
Claim Language Exemplary Citations to Disclosure
1. A computer- Taylor discloses “a method, system and computer
8
Claim Language Exemplary Citations to Disclosure
implemented method for processing application-level content of network service protocols, the method comprising:
program for providing multilevel security to a computer network” (computer-implemented method). Ex. 1006 at Abstract. Taylor further discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (computer-implemented method for processing application level content of network service protocols). Ex. 1006 at Abstract. Taylor further discloses “a typical firewall 101 is placed between a Local Area Network (LAN) 103 and outside networks 111, 115” and “[i]nternal hosts 105, 107, 109 and remote hosts 119, 121 are computers, e.g., personal computers (PC) or computer workstations” (computer-implemented method for processing application level content of network service protocols). Ex. 1006 at 1:17-24. Taylor discloses, “a Transport Control Protocol (TCP) module of a TCP/IP layer in a source computer divides the file into packets of an efficient size for transmitting over the network” (network service protocols). Ex. 1006 at 1:43-46. See also id. at 1:60-63; Ex. 1006 at 8:8-10 Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer…” (processing application level content of network service protocols). Ex. 1006 at 2:60-63. See also id. at 6:40-44; 11:46-48; See also Figs. 1-7; Ex. 1009 at ¶ 82.
9
Claim Language Exemplary Citations to Disclosure
1.(a) receiving an incoming network connection, at a networking subsystem of a firewall device, the incoming connection being characterized by a source network address, a destination network address and a network service protocol;
Taylor discloses that “[t]he method comprises the step of receiving a first communication packet on at least one network interface port from an outside network” (receiving an incoming network connection). Ex. 1006 at Abstract. Taylor discloses that the “NAT 205, DPF 207, UD-SPF, 209, TPF 215, local TCP/IP 213 and OG-DPF 217 are located in the kernel space of firewall 201” (networking subsystem of a firewall device). Ex. 1006 at 4:51-53. Taylor further discloses, “when a packet is received by NIC 203 from any one of outside networks 111, 115, the packet is associated with a corresponding port number. The packet is, then, forwarded to NAT 205 which translates the destination address of the received packet into a corresponding address of internal hosts” (the incoming connection being characterized by a source network address, a destination network address and a network service protocol). Ex. 1006 at 5:33-37. Taylor discloses that a “connection list, as the name implies, includes a list of currently active or soon to be active connections and relevant information thereof such as the source and destination addresses and the port on which the connection is or to be established” (the incoming connection being characterized by a source network address, a destination network address and a network service protocol). Ex. 1006 at 6:66-7:5. Taylor also discloses “[t]he attribute information of the packet includes: Source and destination computer addresses; Source and destination transport layer protocol numbers;Type of protocol (TCP, UDP etc.); and Port numbers of NIC 203 on which the packet was received” (receiving an incoming network connection,
10
Claim Language Exemplary Citations to Disclosure
at a networking subsystem of a firewall device, the incoming connection being characterized by a source network address, a destination network address and a network service protocol). Ex. 1006 at 10:59-11:3. See also Ex. 1009 at ¶ 83.
1.(b) determining, by the networking subsystem, the network service protocol of the incoming network connection;
Taylor discloses that “DPF determines whether the received packet is a connection control packet, i.e., a SYN packet” (determining, by the networking subsystem, the network service protocol of the incoming network connection). Ex. 1006 at 5:56-58. SYN packets are a part of the Transport Control protocol as explained by Taylor: “a Transport Control Protocol (TCP) module of a TCP/IP layer in a source computer divides the file into packets” and “connection control packets include at least one connection establishing packet, e.g., a SYN packet…” (network service protocol of the incoming network connection). Ex. 1006 at 1:43-52. See also Ex. 1009 at ¶ 84.
1.(c) determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall
Taylor discloses that, “the packet filter…examines the header information of each incoming packet and makes pass/fail decisions based on their source and destination addresses” (determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol). Ex. 1006 at 2:47-53. Taylor discloses, “DPF 207 further determines whether the port, i.e., the port, on which the packet was received is a registered port”, “[t]he system administrator specifies which of the ports are to be registered in a configuration information file” (applying packet-layer firewall rules associated with the matching firewall
11
Claim Language Exemplary Citations to Disclosure
policy; policy). Ex. 1006 at 5:67-6:6. Taylor further discloses, “[t]he rules in the configuration information file are entered by a user to set forth whether to allow data communication connections for certain physical connections. If the rule is to allow the data communication connection and forward the packets at the packet level, the dynamic packet filter creates a connection rule so as to apply the connection rule to packets having the same attribute information” (emphasis added) (applying packet-layer firewall rules associated with the matching firewall policy). Ex. 1006 at 3:54-63. Taylor also discloses “[w]hether the packet matches a user specified rule is determined by attribute information of the packet. The attribute information of the packet includes: Source and destination computer addresses; Source and destination transport layer protocol numbers;Type of protocol (TCP, UDP etc.); and Port numbers of NIC 203 on which the packet was received” (emphasis added) (determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol). Ex. 1006 at 10:59-11:3. See also Ex. 1009 at ¶ 85.
1.(d) if the incoming connection is allowed, then:
See limitation 1.(d)(i) below.
1.(d)(i) redirecting the incoming network connection, by the
Taylor discloses, “when the port is registered, DPF 207 transfers attribute information of the packet to proxy” (redirecting the incoming network connection, by the
12
Claim Language Exemplary Citations to Disclosure
networking subsystem, to a proxy module of one or more proxy modules within the firewall device that is configured to support the network service protocol;
networking subsystem, to a proxy module of one or more proxy modules within the firewall device). Ex. 1006 at 6:12-14. Taylor discloses that, “[p]roxy 211, upon receiving the attribute information from DPF 207, determines whether to allow the connection. If the connection is to be allowed, proxy 211 further determines which filter dynamic filter rule to apply” (redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules within the firewall device that is configured to support the network service protocol). Ex. 1006 at 6:22-25; see also Ex. 1009 at ¶ 86.
1.(d)(ii) retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy, the one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols; and
Taylor discloses that a “configuration file…includes various filter rules to be applied for specific connections. For example, packets received from a particular port can be subjected to the filter all rule filter, while packets received from another port can be subjected to the selective filtering rule” (retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy, the one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols). Ex. 1006 at 6:44-50. Taylor discloses, “filtering rules are also possible such as not applying any filtering or applying a proxy filter at the application layer to all packets received on a specific connection” (one or more content processing configuration schemes associated with the matching firewall policy, the one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one
13
Claim Language Exemplary Citations to Disclosure
or more network service protocols). Ex. 1006 at 6:39-43; see also Ex. 1009 at ¶ 87.
1.(d)(iii) processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection by
Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection). Ex. 1006 at Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer…” (processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection). Ex. 1006 at 2:60-63. Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing application level content of network service protocols). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level” (processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection). Ex. 1006 at 11:46-48; see also Ex. 1009 at ¶ 88.
1.(d)(iii)(A) reconstructing the application level content, including extracting and buffering content from a plurality of packets of the packet
Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing application level content of network service protocols). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level.” Ex. 1006 at 11:46-48.
14
Claim Language Exemplary Citations to Disclosure
stream; and To be filtered at the application layer level, the proxy must reconstruct the application level content, including extracting and buffering content from a plurality of packets of the packet stream. See Ex. 1009 at ¶ 89.
Regarding limitation 1.(d)(iii)(A), Petitioner believes that it is inherent that
in order to process and scan for “application level content”, packets received by the
proxy must necessarily be reconstructed. The reconstruction of the application
level content would necessarily include extracting and buffering content from a
plurality of packets of the packet stream. Ex. 1009 at ¶ 90. Alternatively, one of
ordinary skill in the art would understand that to process and scan for “application
level content”, packets received by the proxy must necessarily be reconstructed by
e.g., extracting and buffering content from a plurality of packets of the packet
stream. Ex. 1009 at ¶ 91. Thus, to the extent that the Board does not determine that
this limitation is disclosed by Taylor, Petitioner submits that Taylor teaches or
suggests it. Id.
Claim Language Exemplary Citations to Disclosure
1.(d)(iii)(B) scanning the application-level content based on the retrieved one or more content processing configuration schemes.
Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (scanning the application-level content based on the retrieved one or more content processing configuration schemes). Ex. 1006 at
15
Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer…” (scanning the application-level content based on the retrieved one or more content processing configuration schemes). Ex. 1006 at 2:60-63. Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing application level content of network service protocols). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level” (processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection). Ex. 1006 at 11:46-48. Taylor discloses that a “configuration file…includes various filter rules to be applied for specific connections. For example, packets received from a particular port can be subjected to the filter all rule filter, while packets received from another port can be subjected to the selective filtering rule” (content processing configuration schemes). Ex. 1006 at 6:44-50. In filtering application level content, the proxy must scan the application level content. Ex. 1009 at ¶ 92.
Regarding limitation 1.(d)(iii)(B), Petitioner believes that it is inherent that
in order to process and scan for “application level content,” packets received by the
proxy must necessarily be scanned. One cannot filter content without first
determining by scanning the content and comparing the scanned content with a
16
reference (i.e., configuration scheme). Ex. 1009 at ¶ 93. Alternatively, one of
ordinary skill in the art would understand that to process and scan for “application
level content”, the packets must necessarily be scanned. Ex. 1009 at ¶ 94. Thus, to
the extent that the Board does not determine that this limitation is disclosed by
Taylor, Petitioner submits that Taylor teaches or suggests it. Id.
Claim Language Exemplary Citations to Disclosure
3. The method of claim 1, wherein during the identifying, the matching firewall policy is selected from a plurality of predefined firewall policies.
Taylor further discloses, “[t]he rules in the configuration information file are entered by a user to set forth whether to allow data communication connections for certain physical connections. If the rule is to allow the data communication connection and forward the packets at the packet level, the dynamic packet filter creates a connection rule so as to apply the connection rule to packets having the same attribute information” (the matching firewall policy is selected from a plurality of predefined firewall policies). Ex. 1006 at 3:54-63; see also Ex. 1009 at ¶ 95.
4. The method of claim 3, wherein if the plurality of predefined firewall policies does not contain the matching firewall policy, a default firewall policy is identified as the matching firewall policy.
Taylor discloses, “if a user specified rule matches with the communication establishing packet, the matched rule is applied to the packet (step 323). If no user specified rule matches the packet, a transparency is applied (step 325)” (wherein if the plurality of predefined firewall policies does not contain the matching firewall policy, a default firewall policy is identified as the matching firewall policy). Ex. 1006 at 11:6-9; see also Ex. 1009 at ¶ 96.
10. A firewall system for processing application-level content of network
Taylor discloses, “the invention relates to firewall technology in packet switched networks for adaptively providing a plurality of security levels” (firewall system). Ex. 1006 at 1:10-14.
17
Claim Language Exemplary Citations to Disclosure
service protocols, the firewall system comprising:
Taylor discloses, “[f]irewall 101 includes a combination of computer hardware and software components configured to protect LAN” (firewall system). Ex. 1006 at 1:17-19. Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (processing application-level content). Ex. 1006 at Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer…” (processing application-level content). Ex. 1006 at 2:60-63. Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing application-level content). Ex. 1006 at 6:40-44. See also, Fig. 2; Ex. 1009 at ¶ 97.
10.(a) a non-transitory memory having stored therein a configuration database including a plurality of firewall policies and a plurality of content processing configuration schemes, each content processing configuration scheme of
Taylor discloses, “[t]he computer programs are stored in a computer readable storage medium, e.g., hard disks or floppy diskettes. In operation, the computer programs are read to a random access memory to be executed by a processor. The computer readable storage medium, the random access memory and the process are preferably included in the computer of firewall 201. Alternatively, however, the computer readable storage medium can be provided by another computer or floppy diskettes. Hence, the computer programs can be downloaded from
18
Claim Language Exemplary Citations to Disclosure
the plurality of content processing configuration schemes including a plurality of content processing configuration settings for each of a plurality of network protocols;
a remote computer coupled to firewall 201” (non-transitory memory). Ex. 1006 at 5:10-20. Taylor discloses that a “configuration file…includes various filter rules to be applied for specific connections. For example, packets received from a particular port can be subjected to the filter all rule filter, while packets received from another port can be subjected to the selective filtering rule” (plurality of firewall policies and a plurality of content processing configuration schemes, each content processing configuration scheme of the plurality of content processing configuration schemes including a plurality of content processing configuration settings for each of a plurality of network protocols). Ex. 1006 at 6:44-50. Taylor further discloses, “[t]he rules in the configuration information file are entered by a user to set forth whether to allow data communication connections for certain physical connections. If the rule is to allow the data communication connection and forward the packets at the packet level, the dynamic packet filter creates a connection rule so as to apply the connection rule to packets having the same attribute information” (plurality of firewall policies and a plurality of content processing configuration schemes, each content processing configuration scheme of the plurality of content processing configuration schemes including a plurality of content processing configuration settings for each of a plurality of network protocols). Ex. 1006 at 3:54-63. See Ex. 1009 at ¶ 98.
10.(b) a networking interface operable to receive a network connection;
Taylor discloses “a firewall 201 of the present invention that includes a Network Interface Card (NIC) 203 coupled to at least one outside network” (a networking interface operable to receive a network connection). Ex.
19
Claim Language Exemplary Citations to Disclosure
1006 at 4:27-29; see also Ex. 1009 at ¶ 99.
10.(c) one or more proxy modules each operable to support one or more network protocols of the plurality of network protocols; and
Taylor further discloses that “[t]he computer program includes a first module located in an application layer, a second module located in a network layer, and a third module located in a kernel space and configured to examine a number of packets received by the computer network from at least one outside network and to forward the number of packets to one of the first and second modules after examining the number of packets. (one or more proxy modules each operable to support one or more network protocols of the plurality of network protocols). Ex. 1006 at Abstract. Taylor further discloses, “the TCP module is a communication protocol used along with the Internet Protocol (IP) to send data in the form of packets between a source and destination computers. While the IP module performs the actual delivery of the data, the TCP module keeps track of the individual packets that a file is divided into for efficient routing through the Internet” (one or more proxy modules each operable to support one or more network protocols of the plurality of network protocols). Ex. 1006 at 1:60-65. Taylor also discloses, “[t]he term proxy designates either all of the filtering and decision making processes or individual filtering processes occurring at the user space. Proxy 211, therefore, can be referred as a one process or a plurality of processes depending upon the context in which the term appears” (one or more proxy modules each operable to support one or more network protocols of the plurality of network protocols). Ex. 1006 at 4:59-65; see also Ex. 1009 at ¶ 100.
10.(d) a networking subsystem operable to (i) receive the network
Taylor discloses a “NAT 205, DPF 207, UD-SPF, 209, TPF 215, local TCP/IP 213 and OG-DPF 217 are located in the kernel space of firewall 201” (a
20
Claim Language Exemplary Citations to Disclosure
connection from the networking interface,
networking subsystem operable to (i) receive the network connection from the networking interface). Ex. 1006 at 4:51-53. Taylor further discloses, “when a packet is received by NIC 203 from any one of outside networks 111, 115, the packet is associated with a corresponding port number. The packet is, then, forwarded to NAT 205 which translates the destination address of the received packet into a corresponding address of internal hosts” (a networking subsystem operable to (i) receive the network connection from the networking interface). Ex. 1006 at 5:33-37; see also Ex. 1009 at ¶ 101.
10.(d)(ii) apply packet-layer firewall rules associated with a firewall policy of the plurality of firewall policies that is appropriate for the network connection and
Taylor discloses that, “the packet filter…examines the header information of each incoming packet and makes pass/fail decisions based on their source and destination addresses” (apply packet-layer firewall rules associated with a firewall policy of the plurality of firewall policies that is appropriate for the network connection). Ex. 1006 at 2:47-53. Taylor discloses, “DPF 207 further determines whether the port, i.e., the port, on which the packet was received is a registered port”, “[t]he system administrator specifies which of the ports are to be registered in a configuration information file” (apply packet-layer firewall rules associated with a firewall policy of the plurality of firewall policies that is appropriate for the network connection). Ex. 1006 at 5:67-6:6. Taylor further discloses, “[t]he rules in the configuration information file are entered by a user to set forth whether to allow data communication connections for certain physical connections. If the rule is to allow the data communication connection and forward the packets at the packet level, the dynamic packet filter creates a
21
Claim Language Exemplary Citations to Disclosure
connection rule so as to apply the connection rule to packets having the same attribute information” (emphasis added) (apply packet-layer firewall rules associated with a firewall policy of the plurality of firewall policies that is appropriate for the network connection). Ex. 1006 at 3:54-63; see also Ex. 1009 at ¶ 102.
10.(d)(iii) redirect the network connection to a proxy module of the one or more proxy modules based on a network protocol associated with the network connection if the network connection is allowed by the packet-layer firewall rules; and
Taylor discloses, “when the port is registered, DPF 207 transfers attribute information of the packet to proxy” (redirect the network connection to a proxy module of the one or more proxy modules based on a network protocol associated with the network connection if the network connection is allowed by the packet-layer firewall rules). Ex. 1006 at 6:12-14. Taylor discloses that, “[p]roxy 211, upon receiving the attribute information from DPF 207, determines whether to allow the connection. If the connection is to be allowed, proxy 211 further determines which filter dynamic filter rule to apply” (redirect the network connection to a proxy module of the one or more proxy modules based on a network protocol associated with the network connection if the network connection is allowed by the packet-layer firewall rules). Ex. 1006 at 6:22-25; see also Ex. 1009 at ¶ 103.
10.(e) wherein the proxy module processes application-level content of a packet stream associated with the network connection by
Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (wherein the proxy module processes application-level content of a packet stream associated with the network connection). Ex. 1006 at Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’
22
Claim Language Exemplary Citations to Disclosure
networks. Each of the packets passing through this type of firewall is examined at the application layer…” (wherein the proxy module processes application-level content of a packet stream associated with the network connection). Ex. 1006 at 2:60-63. Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing application level content of network service protocols). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level” (wherein the proxy module processes application-level content of a packet stream associated with the network connection). Ex. 1006 at 11:46-48; see also Ex. 1009 at ¶ 104.
10.(e)(i) reconstructing the application-level content, including extracting and buffering content from a plurality of packets of the packet stream; and
Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (reconstructing the application-level content, including extracting and buffering content from a plurality of packets of the packet stream). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level.” Ex. 1006 at 11:46-48. To be filtered at the application layer level, the proxy must reconstruct the application level content, including extracting and buffering content from a plurality of packets of the packet stream. See Ex. 1009 at ¶¶ 89-91. See also, discussion regarding limitation 1.(d)(iii)(A) above; See Ex. 1009 at ¶ 105.
10.(e)(ii) scanning the application-level content based on one or more content processing
Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one
23
Claim Language Exemplary Citations to Disclosure
configuration schemes of the plurality of content processing configuration schemes that have been associated with the firewall policy by an administrator of the firewall system.
outside network…” (scanning the application-level content based on the retrieved one or more content processing configuration schemes). Ex. 1006 at Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer…” (scanning the application-level content based on the retrieved one or more content processing configuration schemes). Ex. 1006 at 2:60-63. Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing application level content of network service protocols). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level” (scanning the application-level content based on one or more content processing configuration schemes of the plurality of content processing configuration schemes). Ex. 1006 at 11:46-48. Taylor discloses that a “configuration file…includes various filter rules to be applied for specific connections. For example, packets received from a particular port can be subjected to the filter all rule filter, while packets received from another port can be subjected to the selective filtering rule” (content processing configuration schemes). Ex. 1006 at 6:44-50. Taylor also discloses, “[t]he system administrator specifies which of the ports are to be registered in a configuration information file” (processing configuration schemes that have been associated with the firewall policy by an administrator of the firewall
24
Claim Language Exemplary Citations to Disclosure
system). Ex. 1006 at 5:67-6:6. In filtering application level content, the proxy must scan the application level content. See Ex. 1009 at ¶¶ 92-94. See also, discussion regarding limitation 1.(d)(iii)(B) above; See Ex. 1009 at ¶ 106.
12. The firewall system of claim 10, wherein the processing of application-level content by the proxy module comprises applying filters to the application-level content.
Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (processing of application-level content by the proxy module comprises applying filters to the application-level content). Ex. 1006 at Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer…” (processing of application-level content by the proxy module comprises applying filters to the application-level content). Ex. 1006 at 2:60-63. Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing of application-level content by the proxy module comprises applying filters to the application-level content). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level” (processing, by the proxy module, application-level content). Ex. 1006 at 11:46-48. Taylor discloses that a “configuration file…includes various filter rules to be applied for specific
25
Claim Language Exemplary Citations to Disclosure
connections. For example, packets received from a particular port can be subjected to the filter all rule filter, while packets received from another port can be subjected to the selective filtering rule” (content processing configuration schemes). Ex. 1006 at 6:44-50; see also Ex. 1009 at ¶ 107.
13. A non-transitory computer-readable storage medium tangibly embodying instructions, which when executed by a firewall system, cause the firewall system to perform a method for processing application-level content, the method comprising:
Taylor discloses, “The computer programs are stored in a computer readable storage medium, e.g., hard disks or floppy diskettes. In operation, the computer programs are read to a random access memory to be executed by a processor. The computer readable storage medium, the random access memory and the process are preferably included in the computer of firewall 201. Alternatively, however, the computer readable storage medium can be provided by another computer or floppy diskettes. Hence, the computer programs can be downloaded from a remote computer coupled to firewall 201” (non-transitory memory). Ex. 1006 at 5:10-20. Taylor discloses, “[t]his invention relates to providing security in communication networks. In particular, the invention relates to firewall technology in packet switched networks for adaptively providing a plurality of security levels” (firewall system). Ex. 1006 at 1:10-14. Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (processing of application-level content by the proxy module comprises applying filters to the application-level content). Ex. 1006 at Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’
26
Claim Language Exemplary Citations to Disclosure
networks. Each of the packets passing through this type of firewall is examined at the application layer…” (processing of application-level content by the proxy module comprises applying filters to the application-level content). Ex. 1006 at 2:60-63; see also Ex. 1009 at ¶ 108.
Taylor also renders obvious limitations 13.(a) to 13.(c)(iii)(B):
Claim Language Exemplary Citations to Disclosure
13.(a) determining, by a networking subsystem of the firewall system, the network service protocol of the incoming network connection, the incoming connection being characterized by a source network address, a destination network address and a network service protocol;
See claim limitations 1.(a) and 1.(b). See also Ex. 1009 at ¶ 109.
13.(b) determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;
See claim limitation 1.(c).
13.(c) if the incoming connection is allowed, then: See claim limitation 1.(d).
13.(c)(i) redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules of the firewall system that is configured to support the network service protocol;
See claim limitation 1.(d)(i).
13.(c)(ii) retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy, the
See claim limitation 1.(d)(ii).
27
one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols; and
13.(c)(iii) processing, the proxy module, application-level content of a packet stream associated with the incoming network connection by
See claim limitation 1.(d)(iii).
13.(c)(iii)(A) reconstructing the application level content, including extracting and buffering content from a plurality of packets of the packet stream; and
See claim limitation 1.(d)(iii)(A).
13.(c)(iii)(B) scanning the application-level content based on the retrieved one or more content processing configuration schemes.
See claim limitation 1.(d)(iii)(B).
Taylor also renders obvious claims 14 and 18:
Claim Language Exemplary Citations to Disclosure
14. The computer-readable storage medium of claim 13, wherein the network service protocol comprises at least one of a group consisting of HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) and Server Message Block/Common
Taylor discloses, “[f]or instance, this rule is useful for protocols such as File Transfer Protocol (FTP), which sends data packets on a different connection after establishing the connection. Other filtering rules are also possible such as not applying any filtering or applying a proxy filter at the application layer to all packets received on a specific connection” (wherein the network service protocol comprises File Transfer Protocol (FTP)). Ex. 1006 at 6:37-40.
See also Ex. 1009 at ¶ 110.
28
Internet File System (SMB/CIFS). 18. The computer-readable storage medium of claim 13, wherein the method further comprises authenticating a user associated with the incoming connection and rejecting the incoming connection if the authentication is unsuccessful.
Taylor discloses, “[t]he most common firewall features include: securing internal network 103 access with a perimeter defense, controlling all connections into and out of internal network 103, filtering packets according to previously defined rules, “authenticating” or making sure users and applications are permitted to access resources, logging of activities, and actively notifying the appropriate people when suspicious events occur” (authenticating a user associated with the incoming connection and rejecting the incoming connection if the authentication is unsuccessful). Ex. 1006 at 2:35-44; see also Ex. 1009 at ¶ 111.
Taylor also renders obvious limitations 22(a) to 22.(c)(iv):
Claim Language Exemplary Citations to Disclosure
22. The method of claim 1, further comprising: (a) receiving, by the networking subsystem, a second incoming network connection associated with a second network service protocol that is different from the network service protocol;
See claim limitation 1.(a). See also Ex. 1009 at ¶ 112.
22.(b) determining, by the networking subsystem, whether to allow or deny the second incoming connection based on the matching firewall policy and applying packet-layer firewall rules associated with the matching firewall policy;
See claim limitation 1.(c).
22.(c) if the second incoming connection is allowed, then:
See claim limitation 1.(d).
22.(c)(i) redirecting the second incoming network connection to a second proxy module of one or more proxy modules within the firewall device that is configured to support the second network service protocol;
See claim limitation 1.(d)(i).
29
22.(c)(ii) retrieving, by the second proxy module, the one or more content processing configuration schemes associated with the matching firewall policy; and
See claim limitation 1.(d)(ii).
22.(c)(iii) processing, by the second proxy module, application-level content of a packet stream associated with the second incoming network connection by
See claim limitation 1.(d)(iii).
22.(c)(iii)(A) reconstructing the application-level content of the packet stream associated with the second incoming network connection, including extracting and buffering content from a plurality of packets of the packet stream; and
See claim limitation 1.(d)(iii)(A).
22.(c)(iii)(B) scanning the application-level content of the packet stream associated with the second incoming network connection based on the retrieved one or more content processing configuration schemes; and
See claim limitation 1.(d)(iii)(B).
22.(c)(iv) wherein the plurality of content processing configuration settings for the network service protocol are different from the plurality of content processing configuration settings for the second network service protocol.
See claim limitations 1.(a) and 1.(d)(iii). Taylor proxy’s rules are different from each other. Ex. 1009 at ¶ 113.
F. Ground 2: Claims 1, 3, 10, 12, 13, 14 and 22 are Obvious under 35
U.S.C. § 103(a) (pre-AIA) in light of Sonnenberg.
U.S. Patent No. 7,076,650 to Sonnenberg (hereinafter “Sonnenberg”)(Ex.
1007) discloses a “system and methods … for scanning a communication that is
received at a firewall.” Ex. 1007 at 2:9-12.
30
The Sonnenberg system includes a firewall 102 having “proxies relating to
different types of communications (e.g., differentiated by protocol) that the firewall
will handle. Thus, in the illustrated embodiment firewall 102 includes FTP (File
Transfer Protocol) proxy 150, HTTP (HyperText Transport Protocol) 152 and an
additional proxy 154.” Id. at 5:31-36.
According to Sonnenberg, “firewall 102 examines communications (e.g.,
individual or sequences of packets, frames, etc.) received at the firewall and, based
on firewall rules 102a, forwards to each installed and enabled proxy those
communications that match its type and that are permitted to transit the firewall.”
Ex. 1007 at 5:44-49. “Different proxies may be configured to handle different
types of communications (e.g., FTP, HTTP, SMTP).” Id. at 2:25-27. According to
Sonnenberg, “a proxy is also configured to scan the communications it handles for
31
target content such as computer viruses, programming objects (e.g., ActiveX
controls, Java applets), or general content such as pornography, advertisements,
etc.” Id. at 2:27-31 (emphasis added). Each proxy has its own set of rules for
processing the target content (i.e., application level content). Id. at 5:58-67; 14:8-
30 (“In state 506 the FTP proxy examines its own rules to ensure that the desired
FTP connection is permissible. … In state 512 the FTP proxy applies its rules.”);
Fig. 5.
Claim Language Exemplary Citations to Disclosure
1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:
Sonnenberg discloses a “method and apparatus are provided for cooperatively and dynamically sharing a proxy's burden of scanning communications for target content. A network of computer nodes is connected to a firewall through which pass communications with entities external to the network. The firewall includes one or more proxies to facilitate network users' connections with the external entities. The firewall and one or more of the nodes include software modules for scanning one or more types (e.g., FTP, HTTP, SMTP) of communications for particular information or types of data (e.g., computer viruses, ActiveX components, pornography, text)” (method for processing application level content of network service protocols). Ex. 1007 at Abstract. Sonnenberg discloses that “[f]or example, the methods described herein may be implemented in software executing on a computer system…” (computer-implemented method). Ex. 1007 at 3:62-64. See also Figs. 1A, 1B and 5; Ex. 1009 at ¶ 114.
32
Claim Language Exemplary Citations to Disclosure
1.(a) receiving an incoming network connection, at a networking subsystem of a firewall device, the incoming connection being characterized by a source network address, a destination network address and a network service protocol;
Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall” (receiving an incoming network connection at a networking subsystem of a firewall device). Ex. 1007 at 5:44-49. Sonnenberg discloses that “[w]ithin a particular type of communication, however, attributes and criteria such as the following may be used to decide where a communication is scanned: … the source or destination of the communication (e.g., which node in the network, as determined by an IP address); …etc. One skilled in the art will appreciate that this is merely a listing of sample criteria and communication attributes that may be examined. In alternative embodiments of the invention other criteria and attributes may be used” (the incoming connection being characterized by a source network address, a destination network address and a network service protocol). Ex. 1007 at 7:5-27. See also Figs. 1B and 5; Ex. 1009 at ¶ 115.
1.(b) determining, by the networking subsystem, the network service protocol of the incoming network connection;
Sonnenberg discloses that “[i]n this embodiment firewall 102 includes proxies relating to different types of communications (e.g., differentiated by protocol) that the firewall will handle. Thus, in the illustrated embodiment firewall 102 includes FTP (File Transfer Protocol) proxy 150, HTTP (HyperText Transport Protocol) 152 and an additional proxy 154. Proxy 154 may represent another communication protocol (e.g., SMTP (Simple Mail Transport Protocol)) or may be a "plug" proxy configured to receive and/or establish
33
Claim Language Exemplary Citations to Disclosure
connections for a particular application or communication service (e.g., AOL) operating on a node within the organization's network” (the network service protocol of the incoming network connection). Ex. 1007 at 5:31-41. Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall. Illustratively, firewall rules 102a comprise a set of guidelines or instructions the firewall applies to determine whether to accept, reject or otherwise manipulate a particular communication. In particular, the firewall rules may specify what to do with each type of communication it receives. Thus, all FTP requests and responses concerning file accesses may be provided to FTP proxy 150 while HTTP proxy 152 receives HTTP communications” (determining, by the networking subsystem, the network service protocol of the incoming network connection). Ex. 1007 at 5:44-57; see also Ex. 1009 at ¶ 116.
1.(c) determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and
Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall. Illustratively, firewall rules 102a comprise a set of guidelines or instructions the firewall applies to determine whether to accept, reject or otherwise manipulate a particular communication” (determining,
34
Claim Language Exemplary Citations to Disclosure
applying packet-layer firewall rules associated with the matching firewall policy;
by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy). Ex. 1007 at 5:44-57. Sonnenberg discloses that “[v]arious criteria, rules and attributes of the communications to be scanned may be used to partition the communication scanning duties between a firewall and a computer node. Illustratively, the criteria, rules and attributes are stored by the proxy (e.g., as rules/criteria 150a for FTP proxy 150 in FIG. 1B) and/or the firewall (e.g., in firewall rules 102a). In one embodiment of the invention, responsibility for different types (e.g., FTP, HTTP, SMTP) of communications is, as described above, divided among different proxies in the firewall. Within a particular type of communication, however, attributes and criteria such as the following may be used to decide where a communication is scanned: … the source or destination of the communication (e.g., which node in the network, as determined by an IP address); …etc.” (determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy). Ex. 1007 at 7:5-24; see also Ex. 1009 at ¶ 117.
1.(d) if the incoming connection is allowed, then:
See limitation 1.(d)(i) below.
1.(d)(i) redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules
Sonnenberg discloses “In state 504 the firewall receives the connection request. … If the firewall has no rule against allowing the connection to proceed, it forwards the request to the appropriate (i.e., FTP) proxy. … In state 508 a communication containing the requested file is received at the firewall from the external entity. In
35
Claim Language Exemplary Citations to Disclosure
within the firewall device that is configured to support the network service protocol;
state 510 the firewall again checks its rules, this time for incoming communications, to determine if the communication is allowable… In state 510 the firewall forwards the communication to the FTP proxy because it is an FTP communication.” Ex. 1007 at 14:8-29. See also id. at 5:31-36; Figs. 1B, 5; Ex. 1009 at ¶ 118.
1.(d)(ii) retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy, the one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols; and
Sonnenberg discloses retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy: “As explained further below, each proxy may include a set of rules or criteria concerning whether and how the proxy should manipulate a communication. A proxy may, for example, be configured to allow or disallow communications through the firewall that relate to certain commands or actions (e.g., downloading a large image file, uploading a file from an internal node to an external entity). A proxy's rules may also specify whether the proxy should scan a communication that matches a specified type or that exhibits a particular attribute”. Ex. 1007 at 5:58-67. “In state 506 the FTP proxy examines its own rules to ensure that the desired FTP connection is permissible. If its rules allow, the proxy establishes a connection to the external entity on behalf of the requesting node, without revealing details of the node to the external entity. … In state 512 the FTP proxy applies its rules” (the one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols). Ex. 1007 at 14:8-30. See also Figs. 1B and 5; Ex. 1009 at ¶ 119.
1.(d)(iii) processing, by Sonnenberg discloses that “[i]n this embodiment a
36
Claim Language Exemplary Citations to Disclosure
the proxy module, application-level content of a packet stream associated with the incoming network connection by
firewall protects a network of user computer nodes and has one or more proxy modules installed. A proxy may be configured to establish connections or handle communications to external entities on behalf of internal network nodes. Different proxies may be configured to handle different types of communications (e.g., FTP, HTTP, SMTP). In this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” (processing, by the proxy module, application-level content of a packet stream associated with the incoming network ). Ex. 1007 at 2:21-31. Sonnenberg also discloses that “[e]ach proxy is configured to handle communications of a particular type (e.g., a specific network or communication protocol) and decide whether to allow or disallow a communication based on predetermined criteria. One or more proxies are also configured to scan a communication for viruses, specified programming objects (e.g., ActiveX controls), other content (e.g., pornographic data) that is desirable or undesirable, etc.” (processing, by the proxy module, application-level content of a packet stream associated with the incoming network ). Ex. 1007 at 4:19-26. See also id. at 14:8-15:7; Figs. 1B and 5; Ex. 1009 at ¶ 120.
1.(d)(iii)(A) reconstructing the application level content, including extracting and buffering content from a plurality of packets of
Sonnenberg discloses that “[i]n this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” (application level content) Ex.
37
Claim Language Exemplary Citations to Disclosure
the packet stream; and 1007 at 2:27-31. In order to scan for “target content” (i.e., application level content), the proxy must reconstruct the application level content, including extracting and buffering content from a plurality of packets of the packet stream. Ex. 1009 at ¶ 121. See also Ex. 1007 at 14:30-48; Figs. 1B and 5.
Petitioner believes that it is inherent that in order to process and scan for
“application level content,” packets received by the proxy must necessarily be
reconstructed. The reconstruction of the application level content (i.e., the “target
content” described in Sonnenberg, would necessarily include extracting and
buffering content from a plurality of packets of the packet stream. Ex. 1009 at ¶
122. Alternatively, one of ordinary skill in the art would understand that to process
and scan for “application level content”, packets received by the proxy must
necessarily be reconstructed by e.g., extracting and buffering content from a
plurality of packets of the packet stream. Ex. 1009 at ¶ 123. Thus, to the extent
that the Board does not determined that this limitation is disclosed by Sonnenberg,
Petitioner submits that Sonnenberg teaches or suggests it. Id.
Claim Language Exemplary Citations to Disclosure
1.(d)(iii)(B) scanning the application-level content
Sonnenberg discloses scanning the application-level content based on the retrieved one or more content
38
Claim Language Exemplary Citations to Disclosure
based on the retrieved one or more content processing configuration schemes.
processing configuration schemes: “In this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” Ex. 1007 at 2:27-31. “Each proxy is configured to handle communications of a particular type (e.g., a specific network or communication protocol) and decide whether to allow or disallow a communication based on predetermined criteria. One or more proxies are also configured to scan a communication for viruses, specified programming objects (e.g., ActiveX controls), other content (e.g., pornographic data) that is desirable or undesirable, etc.” Ex. 1007 at 4:19-26. See id. at 14:8-48; Figs. 1B and 5; Ex. 1009 at ¶ 123.
3. The method of claim 1, wherein during the identifying, the matching firewall policy is selected from a plurality of predefined firewall policies.
Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall. Illustratively, firewall rules 102a comprise a set of guidelines or instructions the firewall applies to determine whether to accept, reject or otherwise manipulate a particular communication. In particular, the firewall rules may specify what to do with each type of communication it receives. Thus, all FTP requests and responses concerning file accesses may be provided to FTP proxy 150 while HTTP proxy 152 receives HTTP communications.” Ex. 1007 at 5:44-57;
39
Claim Language Exemplary Citations to Disclosure
see also Ex. 1009 at ¶ 124.
10. A firewall system for processing application-level content of network service protocols, the firewall system comprising:
Sonnenberg discloses “[a] method and apparatus are provided for cooperatively and dynamically sharing a proxy's burden of scanning communications for target content. A network of computer nodes is connected to a firewall through which pass communications with entities external to the network. The firewall includes one or more proxies to facilitate network users' connections with the external entities. The firewall and one or more of the nodes include software modules for scanning one or more types (e.g., FTP, HTTP, SMTP) of communications for particular information or types of data (e.g., computer viruses, ActiveX components, pornography, text)” (a firewall system for processing application-level content of network service protocols). Ex. 1007 at abstract. “In particular, FIGS. 1A 1B demonstrate one system in which a communication is selectively scanned (e.g., for viruses and/or other desired or undesired content) at either a server (e.g., firewall) or an individual computer node that is the destination of the communication” (a firewall system for processing application-level content of network service protocols). Ex. 1007 at 4:51-55. See also Figs. 1A, 1B and 5; Ex. 1009 at ¶ 125.
10.(a) a non-transitory memory having stored therein a configuration database including a plurality of firewall policies and a plurality of content processing configuration schemes, each content processing configuration scheme of
Sonnenberg discloses a configuration database including a plurality of firewall policies and a plurality of content processing configuration schemes. Ex. 1009 at ¶ 126. Sonnenberg discloses that “[t]he program environment in which a present embodiment of the invention is executed illustratively incorporates a general-purpose computer or a special purpose device such as a hand-held computer. Details of such devices (e.g., processor,
40
Claim Language Exemplary Citations to Disclosure
the plurality of content processing configuration schemes including a plurality of content processing configuration settings for each of a plurality of network protocols;
memory, data storage and display) are well known and are omitted for the sake of clarity” (a non-transitory memory). Ex. 1007 at 3:54-59. Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall. Illustratively, firewall rules 102a comprise a set of guidelines or instructions the firewall applies to determine whether to accept, reject or otherwise manipulate a particular communication. In particular, the firewall rules may specify what to do with each type of communication it receives. Thus, all FTP requests and responses concerning file accesses may be provided to FTP proxy 150 while HTTP proxy 152 receives HTTP communications” (plurality of firewall policies). Ex. 1007 at 5:44-57. Sonnenberg discloses “As explained further below, each proxy may include a set of rules or criteria concerning whether and how the proxy should manipulate a communication. A proxy may, for example, be configured to allow or disallow communications through the firewall that relate to certain commands or actions (e.g., downloading a large image file, uploading a file from an internal node to an external entity). A proxy's rules may also specify whether the proxy should scan a communication that matches a specified type or that exhibits a particular attribute” (each content processing configuration scheme of the plurality of content processing configuration schemes including a plurality of content processing configuration settings for each of a plurality
41
Claim Language Exemplary Citations to Disclosure
of network protocols). Ex. 1007 at 5:58-67. Sonnenberg discloses that “[v]arious criteria, rules and attributes of the communications to be scanned may be used to partition the communication scanning duties between a firewall and a computer node. Illustratively, the criteria, rules and attributes are stored by the proxy (e.g., as rules/criteria 150a for FTP proxy 150 in FIG. 1B) and/or the firewall (e.g., in firewall rules 102a). In one embodiment of the invention, responsibility for different types (e.g., FTP, HTTP, SMTP) of communications is, as described above, divided among different proxies in the firewall. Within a particular type of communication, however, attributes and criteria such as the following may be used to decide where a communication is scanned: … the source or destination of the communication (e.g., which node in the network, as determined by an IP address); …etc.” (each content processing configuration scheme of the plurality of content processing configuration schemes including a plurality of content processing configuration settings for each of a plurality of network protocols). Ex. 1007 at 7:5-24; see also Ex. 1009 at ¶ 126.
10.(b) a networking interface operable to receive a network connection;
Sonnenberg discloses that “[i]n a system employing one embodiment of the invention a firewall operates astride a communication link between an organization's network (e.g., a LAN) and external networks and computer systems (e.g., the Internet). The firewall includes one or more proxy modules to handle certain types of communications passing through the firewall. Each proxy is configured to handle communications of a particular type (e.g., a specific network or communication protocol) and decide whether to allow or disallow a communication based on predetermined criteria. One or more proxies are also configured to scan a communication for viruses, specified
42
Claim Language Exemplary Citations to Disclosure
programming objects (e.g., ActiveX controls), other content (e.g., pornographic data) that is desirable or undesirable, etc.” Ex. 1007 at 4:12-26; see also Ex. 1009 at ¶ 127.
10.(c) one or more proxy modules each operable to support one or more network protocols of the plurality of network protocols; and
Sonnenberg discloses that “[i]n this embodiment firewall 102 includes proxies relating to different types of communications (e.g., differentiated by protocol) that the firewall will handle. Thus, in the illustrated embodiment firewall 102 includes FTP (File Transfer Protocol) proxy 150, HTTP (HyperText Transport Protocol) 152 and an additional proxy 154.” Ex. 1007 at 5:31-36. See also Figs. 1B and 5; Ex. 1009 at ¶ 128.
10.(d) a networking subsystem operable to (i) receive the network connection from the networking interface,
Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall.” Ex. 1007 at 5:44-49. See also id. at 7:5-27; Figs. 1B, 5; Ex. 1009 at ¶ 129.
10.(d)(ii) apply packet-layer firewall rules associated with a firewall policy of the plurality of firewall policies that is appropriate for the network connection and
Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall. Illustratively, firewall rules 102a comprise a set of guidelines or instructions the firewall applies to determine whether to accept, reject or otherwise manipulate a particular communication. In particular,
43
Claim Language Exemplary Citations to Disclosure
the firewall rules may specify what to do with each type of communication it receives. Thus, all FTP requests and responses concerning file accesses may be provided to FTP proxy 150 while HTTP proxy 152 receives HTTP communications” (apply packet-layer firewall rules associated with a firewall policy of the plurality of firewall policies that is appropriate for the network connection). Ex. 1007 at 5:44-57. See also Ex. 1007 at 7:5-24; Ex. 1009 at ¶ 130.
10.(d)(iii) redirect the network connection to a proxy module of the one or more proxy modules based on a network protocol associated with the network connection if the network connection is allowed by the packet-layer firewall rules; and
Sonnenberg discloses redirect the network connection to a proxy module of the one or more proxy modules based on a network protocol associated with the network connection if the network connection is allowed by the packet-layer firewall rules: “In state 504 the firewall receives the connection request. … If the firewall has no rule against allowing the connection to proceed, it forwards the request to the appropriate (i.e., FTP) proxy. … In state 508 a communication containing the requested file is received at the firewall from the external entity. In state 510 the firewall again checks its rules, this time for incoming communications, to determine if the communication is allowable. … In state 510 the firewall forwards the communication to the FTP proxy because it is an FTP communication.” Ex. 1007 at 14:8-29. “In this embodiment firewall 102 includes proxies relating to different types of communications (e.g., differentiated by protocol) that the firewall will handle. Thus, in the illustrated embodiment firewall 102 includes FTP (File Transfer Protocol) proxy 150, HTTP (HyperText Transport Protocol) 152 and an additional proxy 154.” Ex. 1007 at 5:31-36.
44
Claim Language Exemplary Citations to Disclosure
See also Figs. 1B and 5; Ex. 1009 at ¶ 131.
10.(e) wherein the proxy module processes application-level content of a packet stream associated with the network connection by
Sonnenberg discloses that “[i]n this embodiment a firewall protects a network of user computer nodes and has one or more proxy modules installed. A proxy may be configured to establish connections or handle communications to external entities on behalf of internal network nodes. Different proxies may be configured to handle different types of communications (e.g., FTP, HTTP, SMTP). In this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” Ex. 1007 at 2:21-31. See also Ex. 1007 at 4:19-26; 14:8-15:7; Figs. 1B and 5.
10.(e)(i) reconstructing the application-level content, including extracting and buffering content from a plurality of packets of the packet stream; and
Sonnenberg discloses that “[i]n this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” (application-level content). Ex. 1007 at 2:27-31. In order to scan for “target content” (i.e., application level content), the proxy must reconstruct the application level content, including extracting and buffering content from a plurality of packets of the packet stream. Ex. 1009 at ¶ 133. See also id. at 14:30-48; Figs. 1B, 5; Ex. 1009 at ¶ 133.
Petitioner believes that it is inherent that in order to process and scan for
“application level content”, packets received by the proxy must necessarily be
45
reconstructed. The reconstruction of the application level content (i.e., the “target
content” described in Sonnenberg), would necessarily include extracting and
buffering content from a plurality of packets of the packet stream. Ex. 1009 at ¶
133. Alternatively, one of ordinary skill in the art would understand that to process
and scan for “application level content”, packets received by the proxy must
necessarily be reconstructed by e.g., extracting and buffering content from a
plurality of packets of the packet stream. Ex. 1009 at ¶ 133. Thus, to the extent
that the Board does not determined that this limitation is disclosed by Sonnenberg,
Petitioner submits that Sonnenberg teaches or suggests it. Id.
Claim Language Exemplary Citations to Disclosure
10.(e)(ii) scanning the application-level content based on one or more content processing configuration schemes of the plurality of content processing configuration schemes that have been associated with the firewall policy by an administrator of the firewall system.
Sonnenberg discloses scanning the application-level content based on one or more content processing configuration schemes of the plurality of content processing configuration schemes that have been associated with the firewall policy by an administrator of the firewall system: “In this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” Ex. 1007 at 2:27-31. “Each proxy is configured to handle communications of a particular type (e.g., a specific network or communication protocol) and decide whether to allow or disallow a communication based on predetermined
46
Claim Language Exemplary Citations to Disclosure
criteria. One or more proxies are also configured to scan a communication for viruses, specified programming objects (e.g., ActiveX controls), other content (e.g., pornographic data) that is desirable or undesirable, etc.” Ex. 1007 at 4:19-26. See also id. at 14:8-48; Figs. 1B, 5; Ex. 1009 at ¶ 134.
12. The firewall system of claim 10, wherein the processing of application-level content by the proxy module comprises applying filters to the application-level content.
Sonnenberg discloses that “[i]n this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” (processing of application content). Ex. 1007 at 2:27-31; see also Ex. 1007 at 4:19-26. Sonnenberg discloses that “[v]irtually any type of scanning module may be installed regardless of the type of content they scan for (e.g., digital signatures, watermarks or other hidden characteristics within images, etc.).” Ex. 1007 at 7:56-60. Digital signatures are processed using filters (applying filters to the application-level content). Ex. 1009 at ¶ 135.
13. A non-transitory computer-readable storage medium tangibly embodying instructions, which when executed by a firewall system, cause the firewall system to perform a method for processing application-level content, the method comprising:
Sonnenberg discloses that “[f]or example, the methods described herein may be implemented in software executing on a computer system, or implemented in hardware utilizing either a combination of microprocessors or other specially designed application specific integrated circuits, programmable logic devices, or various combinations thereof. In particular, the methods described herein may be implemented by a series of computer-executable instructions residing on a storage medium such as a carrier wave, disk drive, or computer-readable medium” (non-transitory computer-readable storage medium tangibly embodying instructions, which when executed by a firewall system,
47
Claim Language Exemplary Citations to Disclosure
cause the firewall system to perform a method for processing application-level content).Ex. 1007 at 3:62-4:4. See also preamble of claim 1; Ex. 1009 at ¶ 136..
Sonnenberg also renders obvious limitations 13(a) to13.(c)(iii)(B):
Claim Language Exemplary Citations to Disclosure
13.(a) determining, by a networking subsystem of the firewall system, the network service protocol of the incoming network connection, the incoming connection being characterized by a source network address, a destination network address and a network service protocol;
See claim limitations 1.(a) and 1.(b). See also Ex. 1009 at ¶ 137.
13.(b) determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;
See claim limitation 1.(c).
13.(c) if the incoming connection is allowed, then:
See claim limitation 1.(d).
13.(c)(i) redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules of the firewall system that is configured to support the network service protocol;
See claim limitation 1.(d)(i).
13.(c)(ii) retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy, the
See claim limitation 1.(d)(ii).
48
one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols; and
13.(c)(iii) processing, the proxy module, application-level content of a packet stream associated with the incoming network connection by
See claim limitation 1.(d)(iii).
13.(c)(iii)(A) reconstructing the application level content, including extracting and buffering content from a plurality of packets of the packet stream; and
See claim limitation 1.(d)(iii)(A).
13.(c)(iii)(B) scanning the application-level content based on the retrieved one or more content processing configuration schemes.
See claim limitation 1.(d)(iii)(B).
Sonnenberg also renders obvious claims 14 and 22(a):
Claim Language Exemplary Citations to Disclosure
14. The computer-readable storage medium of claim 13, wherein the network service protocol comprises at least one of a group consisting of HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) and Server Message
Sonnenberg discloses that “[d]ifferent proxies may be configured to handle different types of communications (e.g., FTP, HTTP, SMTP).” Ex. 1007 at 2:25-27; see also Ex. 1007 at 7:11-14. See also Ex. 1009 at ¶ 138.
49
Block/Common Internet File System (SMB/CIFS).
22. The method of claim 1, further comprising: (a) receiving, by the networking subsystem, a second incoming network connection associated with a second network service protocol that is different from the network service protocol;
Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall. Illustratively, firewall rules 102a comprise a set of guidelines or instructions the firewall applies to determine whether to accept, reject or otherwise manipulate a particular communication. In particular, the firewall rules may specify what to do with each type of communication it receives. Thus, all FTP requests and responses concerning file accesses may be provided to FTP proxy 150 while HTTP proxy 152 receives HTTP communications.” Ex. 1007 at 5:44-57. See claim limitation 1.(a); Ex. 1009 at ¶ 139.
Sonnenberg also renders obvious limitations 22(b) to 22.(c)(iv):
Claim Language Exemplary Citations to Disclosure
22.(b) determining, by the networking subsystem, whether to allow or deny the second incoming connection based on the matching firewall policy and applying packet-layer firewall rules associated with the matching firewall policy;
See claim limitation 1.(c).
22.(c) if the second incoming connection is allowed, then:
See claim limitation 1.(d).
22.(c)(i) redirecting the second incoming network connection to a second proxy module of one or
See claim limitation 1.(d)(i).
50
more proxy modules within the firewall device that is configured to support the second network service protocol;
22.(c)(ii) retrieving, by the second proxy module, the one or more content processing configuration schemes associated with the matching firewall policy; and
See claim limitation 1.(d)(ii).
22.(c)(iii) processing, by the second proxy module, application-level content of a packet stream associated with the second incoming network connection by
See claim limitation 1.(d)(iii).
22.(c)(iii)(A) reconstructing the application-level content of the packet stream associated with the second incoming network connection, including extracting and buffering content from a plurality of packets of the packet stream; and
See claim limitation 1.(d)(iii)(A).
22.(c)(iii)(B) scanning the application-level content of the packet stream associated with the second incoming network connection based on the retrieved one or more content processing configuration schemes; and
See claim limitation 1.(d)(iii)(B).
22.(c)(iv) wherein the plurality of content processing configuration settings for the network service protocol are different from the plurality of content processing configuration settings for the second network service protocol.
See claim limitations 1.(a) and 1.(d)(iii). Sonnenberg’s proxy rules are different from each other. Ex. 1009 at ¶140.
G. Ground 3: Claims 19, 20, and 28 are Obvious under 35 U.S.C. § 103(a) (pre-AIA) in light of Taylor in view of Astaro.
Astaro Security Linux V5 User Manual (“Astaro”) accompanied the Astaro
Security Linux V5 Internet security system. Astaro is prior art to the ’654 patent at
least under 35 U.S.C. §102(b) (pre-AIA) because it was published and publicly
51
available in the United States on October 24, 2004 and therefore pre-dates by more
than one year the earliest possible priority date on the face of the ’654 patent (Nov.
22, 2005). Ex. 1008 at labeled page 2 (all other cites to Astaro’s page numbers).
Astaro discloses a computer-implemented security system including a
firewall system. Ex. 1008 at 11. The firewall system combined several network
components to provide “protection against unauthorized access”, “access control”,
“protocol analysis”, “concealing internal network structure”, and “separation of
servers and clients using proxies” among other features. Ex. 1008 at 11. The
Astaro firewall system includes network layer firewalls and application layer
gateways. Id. at 12-13. The application layer gateways “act as a middleman in
connections between external systems and protected ones” by translating data
packets. Id. at 13. The translation process is called a proxy and each proxy “is
able to analyze and log protocol usage at a fine-grained level, and thereby offer a
wide range of monitoring and security options.” Id. Included in these options is
the ability to authenticate and filter users as well as create user groups. Ex. 1008 at
123 and 227. See also id. at 37, 75-77, 83, and 85. Furthermore, Astaro allows the
system administrator to employ a content filter in the proxy which “scans e-mails
and attachments passing through the proxy for dangerous contents such as viruses
or Trojan horses.” Id. at 250. Flagged messages can then be quarantined based on
set thresholds. Id. at 251. The Astaro firewall also features a “File Extension
52
Filter” to filter files. Id. at 262.
It would have been obvious to one of skill in the art to combine the
disclosures of Taylor and Astaro, and there would have been motivation to
combine them, at least because both involve improving computer implemented
network security systems using firewall systems having both network and
application layer filtering. Ex. 1009 at ¶ 141. Additionally, both Taylor and
Astaro seek to provide greater flexibility and control over network security. Ex.
1006 at 4:8-13; Ex. 1008 at 35. Both references provide network and application
level firewall protections. Ex. 1006 at 3:33-39; Ex. 1008 at 12-13. Finally, the
firewall systems of both Taylor and Astaro allow the administrator to dictate how
data flows in the network based on user defined rules and policies. Ex. 1006 at
3:54-65, Ex. 1008 at 196-199. For at least these reasons, the combination of these
disclosures would not go beyond combining known elements to yield predictable
results. Ex. 1009 at ¶ 141.
Claim Language Exemplary Citations to Disclosure
19. The computer-readable storage medium of claim 18, wherein the authenticated user is associated with one or more user groups.
Astaro discloses, “The SOCKSv5, SMTP, and HTTP services can be configured to allow or disallow clients based on IP address or on username and password combinations. In order to use User Authentication, you must select at least one database against which the security system should authenticate users” (user authentication). Ex. 1008 at 73. Astaro also discloses “RADIUS stands for Remote
53
Authentication Dial In User Service and is a protocol for allowing network devices (e.g., routers) to authenticate users against a central database” (user authentication). Ex. 1008 at 74. Astaro further discloses “[t]he Filters function allows you to filter Users with specific attributes from the table. This function considerably enhances the management of huge network configurations, as users of a certain type can be presented in a concise way” (user is associated with one or more user groups). Ex. 1008 at 123. Astaro also discloses “[t]o give Internet access to a user, he must be assigned to a specific profile in the Profiles-table. If you have already defined the group in your Active Directory (AD) you must give the same name to the profile (e. g. http_access) as to the group in the tab service. Like that, you only need to define those profiles for the user group, for which the access to specific websites shall be prevented” (user is associated with one or more user groups). Ex. 1008 at 227. See also id. at 37(“Allowed Users”), 83(“group membership”), and 85(“grant privileges on the basis of group memberships…”); Ex. 1009 at ¶ 142.
20. The computer-readable storage medium of claim 19, wherein the retrieved one or more content processing configuration schemes are assigned to the one or more user groups.
Astaro also discloses “[t]o give Internet access to a user, he must be assigned to a specific profile in the Profiles-table. If you have already defined the group in your Active Directory (AD) you must give the same name to the profile (e. g. http_access) as to the group in the tab service. Like that, you only need to define those profiles for the user group, for which the access to specific websites shall be prevented” (user is associated with one or more user groups). Ex. 1008 at 227. See also id. at 37(“Allowed Users”), 83(“group membership”), and 85(“grant privileges on the basis of
54
group memberships…”); Ex. 1009 at ¶ 143.
28. The firewall system of claim 10, wherein the network service protocol comprises File Transfer Protocol (FTP) and wherein the plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning, filename blocking and quarantining.
Taylor discloses, “[f]or instance, this rule is useful for protocols such as File Transfer Protocol (FTP), which sends data packets on a different connection after establishing the connection. Other filtering rules are also possible such as not applying any filtering or applying a proxy filter at the application layer to all packets received on a specific connection” (wherein the network service protocol comprises File Transfer Protocol (FTP)). Ex. 1006 at 6:37-40. Astaro discloses, “The Surf Protection Profiles function allows you to produce profiles, which prevent access to certain websites… Each Surf Protection Profile additionally contains a Content Filter with protection mechanisms. Those protection mechanisms are: • Virus Protection (VP) • Embedded Object Filter • Script Content Filter” (plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning). Ex. 1008 at 233. Astaro also discloses, “Virus Protection: This option scans e-mails and attachments passing through the proxy for dangerous contents such as viruses or Trojan horses” (antivirus scanning). Ex. 1008 at 250. Astro discloses the ability to set quarantines: “Quarantine: The e-mail will be accepted, but kept in quarantine. The Proxy Content Manager menu will list this e-mail with status Quarantine. This menu presents further options, including options to read or to send the message” (quarantining). Ex. 1008 at 251. Astaro also discloses, “File Extension Filter This function allows the firewall to selectively filter
55
attachments based on their file extensions. The extensions to filter can be selected in the Extensions list tool” (filename blocking). Ex. 1008 at 262; see also Ex. 1009 at ¶ 144.
H. Ground 4: Claims 4, 18-20, and 28 are Obvious under 35 U.S.C. §
103(a) (pre-AIA) in light of Sonnenberg in view of Astaro.
It would have been obvious to one of skill in the art to combine the
disclosures of Sonnenberg and Astaro, and there would have been motivation to
combine them, at least because both involve improving computer implemented
network security systems using firewall systems having both network and
application layer filtering. Ex. 1009 at ¶ 145. Additionally, both Sonnenberg and
Astaro seek to provide greater flexibility and control over network security. Ex.
1007 at 2:38-45; Ex. 1008 at 35. Both references provide network and application
level firewall protections. Ex. 1007 at 2:21-31; Ex. 1008 at 12-13. Finally, the
firewall systems of both Taylor and Astaro allow the administrator to dictate how
data flows in the network based on user defined rules and policies. Ex. 1007 at
2:33-37, Ex. 1008 at 196-199. For at least these reasons, the combination of these
disclosures would not go beyond combining known elements to yield predictable
results. Ex. 1009 at ¶ 145.
Claim Language Exemplary Citations to Disclosure
4. The method of claim 3, wherein if the plurality of predefined firewall
Sonnenberg discloses, “[i]n one embodiment of the invention a base or default set of rules and criteria may be specified by a system or network administrator.
56
Claim Language Exemplary Citations to Disclosure
policies does not contain the matching firewall policy, a default firewall policy is identified as the matching firewall policy.
These rules may determine which network nodes may scan some or all of their communications, when (e.g., time of day, level of firewall or proxy activity) the proxy may leave a communication to be scanned by its destination node, a minimum security configuration a node may have to in order to be able to scan communications, etc.” Ex. 1007 at 2:38-45 Astaro discloses, “The Rules menu allows you to define packet filter sets of rules. These rules are defined with the help of the network and service definitions. In general, there are two basic kinds of packet filtering policy: • Default allow – the rules explicitly define which packets are blocked; all others are allowed. • Default deny– the rules explicitly define which packets are allowed; all others are dropped” (if the plurality of predefined firewall policies does not contain the matching firewall policy, a default firewall policy is identified as the matching firewall policy). Ex. 1008 at 202. See also id. at 237; Ex. 1009 at ¶ 146.
18. The computer-readable storage medium of claim 13, wherein the method further comprises authenticating a user associated with the incoming connection and rejecting the incoming connection if the authentication is unsuccessful.
Astaro discloses, “The SOCKSv5, SMTP, and HTTP services can be configured to allow or disallow clients based on IP address or on username and password combinations. In order to use User Authentication, you must select at least one database against which the security system should authenticate users” (authenticating a user associated with the incoming connection and rejecting the incoming connection if the authentication is unsuccessful). Ex. 1008 at 73. See also Ex. 1009 at ¶ 147.
19. The computer-readable storage medium of claim 18, wherein the
Astaro discloses, “The SOCKSv5, SMTP, and HTTP services can be configured to allow or disallow clients based on IP address or on username and password
57
Claim Language Exemplary Citations to Disclosure
authenticated user is associated with one or more user groups.
combinations. In order to use User Authentication, you must select at least one database against which the security system should authenticate users” (user authentication). Ex. 1008 at 73. Astaro also discloses “RADIUS stands for Remote Authentication Dial In User Service and is a protocol for allowing network devices (e.g., routers) to authenticate users against a central database” (user authentication). Ex. 1008 at 74. Astaro further discloses “[t]he Filters function allows you to filter Users with specific attributes from the table. This function considerably enhances the management of huge network configurations, as users of a certain type can be presented in a concise way” (user is associated with one or more user groups). Ex. 1008 at 123. Astaro also discloses “[t]o give Internet access to a user, he must be assigned to a specific profile in the Profiles-table. If you have already defined the group in your Active Directory (AD) you must give the same name to the profile (e. g. http_access) as to the group in the tab service. Like that, you only need to define those profiles for the user group, for which the access to specific websites shall be prevented” (user is associated with one or more user groups). Ex. 1008 at 227. See also id. at 37(“Allowed Users”); 83(“group membership”); 85(“grant privileges on the basis of group memberships…”); 75(“Create a user group for every proxy to be used.”); 76(“Windows group of user…”); Ex. 1009 at ¶ 148.
58
Claim Language Exemplary Citations to Disclosure
20. The computer-readable storage medium of claim 19, wherein the retrieved one or more content processing configuration schemes are assigned to the one or more user groups.
Astaro also discloses “[t]o give Internet access to a user, he must be assigned to a specific profile in the Profiles-table. If you have already defined the group in your Active Directory (AD) you must give the same name to the profile (e. g. http_access) as to the group in the tab service. Like that, you only need to define those profiles for the user group, for which the access to specific websites shall be prevented” (user is associated with one or more user groups). Ex. 1008 at 227. See also id. at 37(“Allowed Users”); 83(“group membership”); 85(“grant privileges on the basis of group memberships…”); 75(“Create a user group for every proxy to be used.”); 76(“Windows group of user…”); Ex. 1009 at ¶ 149.
28. The firewall system of claim 10, wherein the network service protocol comprises File Transfer Protocol (FTP) and wherein the plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning, filename blocking and quarantining.
Sonnenberg discloses, “[i]n state 510 the firewall forwards the communication to the FTP proxy because it is an FTP communication.” Ex. 1007 at 14:8-48. Sonnenberg discloses, “[i]n state 512 the FTP proxy applies its rules. Illustratively, the proxy first determines whether it or the firewall can scan the communication. In this embodiment a scanning module (e.g., a virus scanner) has already been installed and configured on the firewall, so this determination is settled affirmatively. … Otherwise, if the proxy has not off-loaded its responsibility for scanning this communication to the node, in state 514 it scans the file with a scanning module and, if the communication (e.g., the requested file) passes the scan (e.g., contains no detectable computer viruses) it is forwarded to the node, after which the procedure ends at state 520.” Ex. 1007 at 14:30-41. Sonnenberg discloses, “[o]ne of ordinary skill in the art will appreciate the large number of configurable
59
Claim Language Exemplary Citations to Disclosure
parameters that may be part of various scanning modules (e.g., file type, file size, time, type of content to scan for, identity of a node or user, level of trust).” Ex. 1007 at 8:29-33. Astaro discloses, “[e]ach Surf Protection Profile additionally contains a Content Filter with protection mechanisms. Those protection mechanisms are: • Virus Protection (VP) • Embedded Object Filter • Script Content Filter” (plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning). Ex. 1008 at 233. Astaro also discloses, “Virus Protection: This option scans e-mails and attachments passing through the proxy for dangerous contents such as viruses or Trojan horses” (antivirus scanning). Ex. 1008 at 250. Astro discloses the ability to set quarantines: “Quarantine: The e-mail will be accepted, but kept in quarantine. The Proxy Content Manager menu will list this e-mail with status Quarantine. This menu presents further options, including options to read or to send the message” (quarantining). Ex. 1008 at 251. Astaro also discloses, “File Extension Filter This function allows the firewall to selectively filter attachments based on their file extensions. The extensions to filter can be selected in the Extensions list tool” (filename blocking). Ex. 1008 at 262; see also Ex. 1009 at ¶ 150.
60
IV. CONCLUSION
For the foregoing reasons, Petitioner requests that the Board institute trial
and cancel claims 1, 3, 4, 10, 12-14, 18, 19, 20, 22, and 28 of the ’654 patent.
Dated: March 20, 2015 Respectfully Submitted,
/Gianni Minutoli/
Gianni Minutoli Reg. No. 41,198 [email protected] Postal and Hand Delivery Address: DLA Piper LLP (US) One Fountain Square 11911 Freedom Drive, Suite 300 Reston, VA 20190-5602 Phone: 703-773-4045 Fax: 202-799-5125 Ryan W. Cobb Reg. No. 64,598 [email protected] Phone: 650-833-2235 Fax: 650-833-2001 Harpreet Singh Reg. No. 71,842 [email protected] Phone: 650-833-2191 Fax: 650-687-1191 Postal and Hand Delivery Address: DLA Piper LLP (US) 2000 University Ave East Palo Alto, CA 94303 Attorneys for Petitioner Sophos Ltd. and Sophos Inc.
1
CERTIFICATE OF SERVICE
The undersigned certifies service pursuant to 37 C.F.R. 37 C.F.R. §§ 42.6(e)
and 42.105(b) on the Patent Owner by UPS Overnight Delivery of a copy of this
Petition for Inter Partes Review and supporting materials at the following
correspondence address of record for the ’654 Patent:
Michael DeSanctis Hamilton DeSanctis & Cha LLP Financial Plaza At Union Square 225 Union Boulevard, Suite 150
Lakewood, CO 80228
Dated: March 20, 2015
/Gianni Minutoli/ Gianni Minutoli Registration No. 41,198 DLA PIPER LLP (US) 11911 Freedom Drive, Suite 300 Reston, Virginia 20190-5602 Phone: (703) 773-4045 Fax: (703) 773-5019