DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication/amendment filed on 10/20/2025.
Status of claims in the instant application:
Claims 1-20 are pending.
No claim has been canceled.
No new claim has been added.
Claims 1-4, 6, 9-10, 12-13 and 15-20 have been amended.
Information Disclosure Statement
Information Disclosure Statements (IDS) filed on 10/20/2025 has been considered, and signed copies of the forms have been attached to this office action.
Response to Arguments
Applicant’s arguments, see page [10] of the remarks filed on 10/10/2025 with respect to objection to specification (abstract) have been fully considered in view of the amendments and are persuasive. Therefore, the specification (abstract) objection has been withdrawn.
Applicant has filed an updated/corrected abstract.
Applicant’s arguments, see page [10] of the remarks filed on 10/10/2025 with respect to objection to claims have been fully considered in view of the amendments and are persuasive. Therefore, the claim objections have been withdrawn.
Applicant’s arguments, see page [11] of the remarks filed on 10/10/2025 with respect to non-statutory (obviousness type) double patenting rejection of claims have been fully considered in view of the amendments and are persuasive. Therefore, the claim rejections have been withdrawn.
Applicant has flied a terminal disclaimer, and it has been approved.
Applicant’s arguments, see page [10] of the remarks filed on 10/10/2025 with respect to updated drawing have been fully considered in view of the amendments and are persuasive. Therefore, the updated drawing has been accepted
Applicant’s arguments, see page [11-16] of the remarks filed on 10/10/2025 with respect to rejection of claims under 35 USC 103 have been fully considered in view of the claim amendments, but they are not persuasive. Therefore, the claim rejections are maintained in this office action. Applicant is directed to Examiner’s response below.
Applicant argues, see page [12] of the remarks, that FIG. 2 and/or Para [0020] of Conway prior art does not show two devices.
Examiner respectfully disagrees with Applicant’s above characterization of Conway prior art.
FIG. 2 of Conway shows multiple devices and multiple zones. Conway further clarifies the devices and zones as:
“Para [0009]: The apparatus may include a network device configured to provide discrete wireless network interfaces, each discrete wireless network interface having an identifier associated therewith, wherein the network device is configured to map the unique identifiers to security zones, wherein the network device is configured to establish wireless network sessions with client devices based on the identifiers, and wherein the network device is configured to segment security privileges of the client devices based on the security zone associated with the identifier used to establish each wireless network session
Para [0019]: FIG. 2 illustrates an exemplary system 200 in which embodiments of systems and methods consistent with the principles of the invention may be implemented. As illustrated, system 200 may include a network device 202 and a group of client devices 204a, 204b, 204c, and 204n (collectively "client devices 204) connected to network device 202 by a number of wireless networks 206, 208, 210, and 212. Network device 202 may then map each of client devices 204 to one or more of a number of security zones 214, 216, 218, 220 based upon the network 206-212 to which they are connected. In accordance with principles of the invention, zones 214-220 may also incorporate traditional wired devices or networks, as will be described in additional detail below. Network device 202 may also be connected to an untrusted network 222, such as an external network or the Internet”.
Conway prior art clearly discloses 2 devices as claimed by the Applicant that implements the method as depicted in Fig. 5 of Conway.
As for the terms “edge device” and “non-edge device”, they can be interpreted as just identifiers of two devices communicating with each other to perform certain function/communication. Conway prior discloses the 2 devices performing the functions as claimed by the Applicant.
Examiner further notes that Applicant has noted several definitions and benefits from the specification, and aper to argue based on those definitions and features, but they are not in the claimed invention.
In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (efficient processing of communication) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Examiner also notes that the rejections are in combination of prior arts, I.e. obviousness type rejection. The cited portions of prior arts disclose functionalities (sending, receiving, security policy checking etc.) and elements (devices) performing those functionalities that are equivalent to the ones in the claimed invention.
Applicant argues, see page [13] of the remarks, that, FIG. 5 and Para [0041] of Conway prior art does not disclose, “the application of security policies to the received network traffic by Conway's network device in [0041] does not meet application of a security process to the first network traffic by a non-edge device”.
Examiner respectfully disagrees with Applicant’s above assertion regarding Conway.
Conway Para [0041] and FIG. 5 clearly discloses applying security process/policy as claimed.
Examiner reproduces Para [0041] Conway of below:
“Para [0041]: Upon receipt of the network traffic, the network device may perform a security policy search based on the identified source and destination security zones (act 514) and may apply any identified network security policies (act 516). In the present example, security policies based on requests from a client device assigned an IP address within a first range of IP addresses for access to a resource having an IP address in a second range of IP addresses are applied.”
The security zones, as noted previously, includes the devices.
Examiner also notes that that Applicant does not clarify what the security process is and what is trghe exact outcome of applying the security process. It only claims applying security process to the data traffic received. Conway Para [0041] and FIG. 5 clearly discloses receiving traffic from client device (equivalent to edge device) at the network device (equivalent to the non-edge device) and that security policy is applied to the network traffic.
Applicant argues, see page [13] of the remarks, that, FIG. 5 and Para [0042] of Conway prior art does not disclose, “forwarding, by the non-edge device, the first network traffic to a destination”.
Applicant also argues that, “Conway at [0022]. Conway's network device is also described as passing the network traffic through to the requested resource. As such, the passing through of the network traffic to the requested resource by the network device cannot be properly equated with the limitations at issue as they expressly require a different network device (i.e., a non-edge device) (the use of which is not contemplated by Conway) to forward the first network traffic to a destination”
Examiner respectfully disagrees with Applicant’s above assertion regarding Conway.
As shown in FIG.5 (with associated descriptions) and further clarified in para [0042], clearly discloses forwarding traffic to destination device. As shown in FIG. 5 of Conway, there are at lest 3 devices: one (client device) sending the traffic, one (network device) receiving the traffic and performing the policy check, and then forwarding the data to destination resource (another device/zone).
Applicant argues, see page [14] of the remarks, that the cited portions (Abstract, Para [0037-0037]) of Chang prior art does not disclose, “communicating, by the non-edge device, an indication to the edge device that the edge device is not required to transmit a second part of the network traffic session to the non-edge device for application of the at least one security process".
Examiner respectfully disagrees with Applicant’s above assertion regarding Chang.
Abstract of Chang discloses:
“Chang, Abstract: Network policies can be used to optimize the flow of network traffic between virtual machines (VMs) in a hybrid cloud environment. In an example embodiment, one or more policies can drive a virtual switch controller, a hybrid cloud manager, a hypervisor manager, a virtual switch, or other orchestrator to create one or more direct tunnels that can be utilized by a respective pair of VMs to bypass the virtual switch and enable direct communication between the VMs. The virtual switch can send the VMs network and security policies to ensure that these policies are enforced. The VMs can exchange security credentials in order to establish the direct tunnel. The direct tunnel can be used by the VMs to bypass the virtual switch and allow the VMs to communicate with each other directly.”
Also, , Para [0037-0039] of Chang discloses, “the public cloud network gateway 112 can include a cloud virtual switch or cloud Virtual Ethernet Module (cVEM) 116b that communicates with the VSM 114 to retrieve VM-specific network policies (e.g., port profiles), switches network traffic between public cloud VMs 118” …
Network policies can be used to optimize the flow of network traffic between virtual machines (VMs) in a hybrid cloud environment. In an example embodiment, one or more policies can drive a virtual switch controller, a hybrid cloud manager, a hypervisor manager, a virtual switch, or other orchestrator to create one or more direct tunnels that can be utilized by a respective pair of VMs to bypass the virtual switch and enable direct communication between the VMs.”
Examiner notes that one of the VMs (118) is considered equivalent to Applicant’s “edge device” and gateway 112 is considered as Applicant’s “non-edge device” and another one of the VMs of the VMs (118) is considered the destination device. The gateway 112 (that contains virtual switch) uses policy to establish direct communication between a pair of VMs and to bypass the gateway (virtual switch) switch – thereby disclosing Applicant’s claimed feature of, “communicating, by the non-edge device, an indication to the edge device that the edge device is not required to transmit a second part of the network traffic session to the non-edge device for application of the at least one security process”.
Applicant arguments, see page [14] of the remarks regarding claim 6, “wherein the indication that the edge device is not required to transmit a second part of the network traffic session to the non-edge device is a grant of suspended security review, and wherein communicating the grant of suspended security review includes communicating a termination point for the grant of suspended security review” is not disclosed by KANDASAMY has been considered, but is not persuasive.
Examiner disagrees with Applicant’s characterization that cited portions (Para [0019-0022]) of KANDASAMY prior art does not disclosed the claimed feature note above.
Examiner notes that as disclosed by (Para [0019-0022]) of KANDASAMY, “If the one or more trusted endpoint criteria are met, the destination is determined to be trusted. If the one or more trusted endpoint criteria are not met, the destination is determined not to be trusted. If the destination is not to be trusted, the ESG continues to send all outbound flows to the destination (e.g., all outbound flows with the corresponding destination IP address, destination port, and/or application indicated in the headers of the packets) via the firewall.”
Here the first part of the communication is sent by ESG (i.e. edge device) through firewall (i.e. non-edge device); here policy determines that the destination is not trusted, so communication/traffic from ESG to destination goes through the firewall.
Para [0019-0022]) of KANDASAMY further discloses, “… In certain aspects, if the destination is to be trusted, the ESG begins sending all outbound flows to the destination (e.g., all outbound flows with the corresponding destination IP address, destination port, and/or application indicated in the headers of the packets) directly and bypasses the firewall. Accordingly, corresponding inbound flows may also bypass the firewall in response, as discussed …… In certain aspects, trust of a destination can age out, such as after a certain time period after determining the destination is trusted. Accordingly, after the time period, the ESG and/or orchestrator may be configured to again start communicating outbound flows via the firewall for the destination, and start the process again”
Examiner, notes that if it’s it’s determined that communication/traffic from ESG to destination are trusted and then it’s is allowed to bypass the firewall – disclosing “a grant of suspended security review”. The bypassing of firewall is valid for a certain time period and after that time period has to go through the firewall again,. Thus disclosing “a termination point for the grant of suspended security review”.
Applicant’s remaining comments/arguments regarding the remaining claims rely on the arguments for the independent claim that the Examiner has already addressed above, and that no further clarification is needed from the Examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-5, 10-14 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20120324533 A1 to CONWAY et al. (hereinafter “CONWAY”) in view of Pub. No.: US 20170099188 A1 to Chang et al. (hereinafter “Chang”).
Regarding Claim 1. CONWAY discloses A method for selectively excluding network traffic from security review, the method comprising:
receiving, by a non-edge device, a first network traffic from an edge device, wherein the first network traffic is a first part of a network traffic session (CONWAY, Fig. 5, Para [0040]: … Once a session has been established, the network device may receive network traffic from the client device bound for a particular network resource, such as another computer or server (e.g., a web server), a networked storage device, etc. via the wireless network (act 512). As described above, a source zone is assigned to the traffic based upon the IP address assigned to the client device …);
applying, by the non-edge device, at least one security process to the first network traffic to yield a security result (CONWAY, Fig. 5, Para [0041]: … Upon receipt of the network traffic, the network device may perform a security policy search based on the identified source and destination security zones (act 514) and may apply any identified network security policies (act 516). In the present example, security policies based on requests from a client device assigned an IP address within a first range of IP addresses for access to a resource having an IP address in a second range of IP addresses are applied …); and
based at least in part on the security result:
forwarding, by the non-edge device, the first network traffic to a destination (CONWAY, Fig. 5, Para [0042]: … At this point, it is determined whether the applied security policies permit the network traffic to pass through to the requested resource (act 518). If so, the traffic is passed through (act 520). However, if the applied security policies do not permit the traffic to pass, access is denied (act 522). By mapping discrete IP address ranges to individual security zones, information regarding a client device's security level may be associated with a packet throughout its passage through the network. …); and
However, CONWAY does not explicitly teach, but Chang from same or similar field of endeavor teaches:
“communicating, by the non-edge device, an indication the to the edge device that edge device is not required to transmit a second part of the network traffic session to the non-edge device for application of the at least one security process (Chang, Abstract, Para [0037-0039]: … the public cloud network gateway 112 can include a cloud virtual switch or cloud Virtual Ethernet Module (cVEM) 116b that communicates with the VSM 114 to retrieve VM-specific network policies (e.g., port profiles), switches network traffic between public cloud VMs 118, switches network traffic between public cloud VMs and the private cloud 102, applies network policies, and monitors and reports VEM-related statistics … Network policies can be used to optimize the flow of network traffic between virtual machines (VMs) in a hybrid cloud environment. In an example embodiment, one or more policies can drive a virtual switch controller, a hybrid cloud manager, a hypervisor manager, a virtual switch, or other orchestrator to create one or more direct tunnels that can be utilized by a respective pair of VMs to bypass the virtual switch and enable direct communication between the VMs … By default, the cVMs 318a and 318b can communicate with each other through the secure access tunnel 332 (and through the public cloud network gateway 312). The public cloud network gateway 312 can establish the access tunnel 332 as a default access tunnel during the initial deployment of a cVM and have network traffic between cVMs pass through the public cloud network gateway as a default forwarding policy … In an example embodiment, a DCT policy can be on-demand or enforced when any cVM mutually connected to a same public cloud network gateway attempt to communicate with one another. For instance, the public cloud network gateway can be configured to orchestrate the creation of a DCT tunnel between a pair of cVMs based on an initial attempted cVM-to-cVM communication via a secure access tunnel, such as an Address Resolution Protocol (ARP) request. In another example embodiment, a DCT policy can be application-driven or enforced by a cloud orchestration component (e.g., the VSM 114 of FIG. 1, cloud manager 120 of FIG. 1, hypervisor manager 122 of FIG. 1, or other suitable management interface) based on application network profiles or requirements (e.g., Application Network Profiles (ANPs) in the Cisco Application Centric Infrastructure (Cisco ACI™)). For instance, the management interface can be utilized to configure a public cloud network gateway to set up one or more DCTs among a set of cVMs connected to the gateway based on the application network profiles or requirements …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chang into the teachings of CONWAY, because it discloses that, “a cVM agent can monitor and report network latency to a VSM (e.g., the VSM 114 of FIG. 1), cloud manager (e.g., cloud manager 120 of FIG. 1), hypervisor manager (e.g., hypervisor manager 122 of FIG. 1), or other suitable management interface. When network latency for the cVM reaches a minimum criterion, the management interface can direct the public cloud network gateway to establish one or more DCTs for that cVM to alleviate the network latency (Chang, Para [0040])”.
Regarding Claim 2. The combination of CONWAY-Chang discloses the method of claim 1, CONWAY further discloses, “the method further comprising:
applying, by the non-edge device, network address translation to the first network traffic to yield the destination (CONWAY, Para [0034]: … security policies may include additional levels of encryption or authentication, such as establishment of a virtual private network (VPN) connection, an IPSec tunnel, or a similar encryption/authentication procedure. Furthermore, the policy processing may also perform additional functions, such as URL filtering or other content-based restrictions on network access. In addition to security-based processing, additional information processing, such as information translations may also be performed by network device 202. For example, incoming packets may be network address translated or port translated so as to modify various pieces of information in outgoing or transmitted data packets …).”
Regarding Claim 3. The combination of CONWAY-Chang discloses the method of claim 1, CONWAY further discloses, “wherein the non-edge device is a network security appliance (CONWAY, Para [0022]: … In one implementation consistent with principles of the invention, network device 202 may include any combination of hardware and software capable of transmitting and receiving wireless network traffic and for applying security policies to the transmitted and received wireless network traffic …)”.
Regarding Claim 4. The combination of CONWAY-Chang discloses the method of claim 1, Chang further discloses, “wherein the edge device is a network router (Chang, Para [0026, 0032]: … Each VM, including VMs 128 and cVMs 118, can host a private application. In some example embodiments, each public cloud VM 118 may be connected to the public cloud network gateway 112 via secure access tunnels, as discussed elsewhere herein. In some example embodiments, one or more cVMs 118 can be configured to operate as a public cloud firewall (not shown), such as an Intercloud Fabric™ Firewall or Virtual Security Gateway (VSG) from Cisco®. In some example embodiments, one or more cVMs 118 can be configured to operate as a public cloud router (not shown), such as an Intercloud Fabric™ Router or Cloud Services Router (CSR) from Cisco®. …)”.
The motivation to further combine Chang remains same as in claim 1.
Regarding Claim 5. The combination of CONWAY-Chang discloses the method of claim 4, Chang further discloses, “wherein the first network traffic is provided from a user device coupled directly to the network router (Chang, Para [0019, 0026]: … Cloud computing can also be provided in a network to provide computing services using shared resources. Cloud computing can generally include Internet-based computing in which computing resources are dynamically provisioned and allocated to client or user computers or other devices on-demand, from a collection of resources available via the network (e.g., “the cloud”) … Each VM, including VMs 128 and cVMs 118, can host a private application. In some example embodiments, each public cloud VM 118 may be connected to the public cloud network gateway 112 via secure access tunnels, as discussed elsewhere herein. In some example embodiments, one or more cVMs 118 can be configured to operate as a public cloud firewall (not shown), such as an Intercloud Fabric™ Firewall or Virtual Security Gateway (VSG) from Cisco®. In some example embodiments, one or more cVMs 118 can be configured to operate as a public cloud router (not shown), such as an Intercloud Fabric™ Router or Cloud Services Router (CSR) from Cisco …)”.
The motivation to further combine Chang remains same as in claim 1.
Regarding Claim 10. This claim contains all the same or similar limitations as claim 1, and hence similarly rejected as claim 1.
**** Note: CONWAY also discloses a device with processing resource, memory and instruction/code stored in the memory, wherein the processing resource performs the functions per the code from the memory (CONWAY: Fig. 3, Para [0024-0026]).
Regarding Claim 11. This claim contains all the same or similar limitations as claim 2, and hence similarly rejected as claim 2.
Regarding Claim 12. This claim contains all the same or similar limitations as claim 3, and hence similarly rejected as claim 3.
Regarding Claim 13. This claim contains all the same or similar limitations as claim 4, and hence similarly rejected as claim 4.
Regarding Claim 14. This claim contains all the same or similar limitations as claim 5, and hence similarly rejected as claim 5.
Regarding Claim 17. This claim contains all the same or similar limitations as claim 1, and hence similarly rejected as claim 1.
**** Note: CONWAY also discloses a device with processing resource, memory and instruction/code stored in the memory, wherein the processing resource performs the functions per the code from the memory (CONWAY: Fig. 3, Para [0024-0026]).
Regarding Claim 18. This claim contains all the same or similar limitations as the combination of claims 3 and 4, and hence similarly rejected.
Claims 6, 9, 15-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20120324533 A1 to CONWAY et al. (hereinafter “CONWAY”) in view of Pub. No.: US 20170099188 A1 to Chang et al. (hereinafter “Chang”), as applied to claim 1 above, and further in view of Pub. No.: US 20240244036 A1 to KANDASAMY et al. (hereinafter “KANDASAMY”).
Regarding Claim 6. The combination of CONWAY-Chang discloses the method of claim 1, however it does not explicitly teach but KANDASAMY from same or similar field of endeavor teaches:
“wherein the indication that the edge device is not required to transmit a second part of the network traffic session to the non-edge device is a grant of suspended security review (KANDASAMY, Para [0019-0022]: … If the one or more trusted endpoint criteria are met, the destination is determined to be trusted. If the one or more trusted endpoint criteria are not met, the destination is determined not to be trusted. If the destination is not to be trusted, the ESG continues to send all outbound flows to the destination (e.g., all outbound flows with the corresponding destination IP address, destination port, and/or application indicated in the headers of the packets) via the firewall. Accordingly, corresponding inbound flows may also occur via the firewall as discussed. In certain aspects, if the destination is to be trusted, the ESG begins sending all outbound flows to the destination (e.g., all outbound flows with the corresponding destination IP address, destination port, and/or application indicated in the headers of the packets) directly and bypasses the firewall. Accordingly, corresponding inbound flows may also bypass the firewall in response, as discussed …), and wherein communicating the grant of suspended security review includes communicating a termination point for the grant of suspended security review (KANDASAMY, Para [0019-0022]: … In certain aspects, trust of a destination can age out, such as after a certain time period after determining the destination is trusted. Accordingly, after the time period, the ESG and/or orchestrator may be configured to again start communicating outbound flows via the firewall for the destination, and start the process again …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of KANDASAMY into the combined teachings of CONWAY-Chang, because it discloses that, “The present disclosure provides techniques for allowing an ESG to breakout trusted flows with external endpoints, such that trusted flows can bypass the use of a firewall. In an example, the firewall is a third party next generation firewall, which is firewall that combines a traditional firewall with other network device filtering functions such as in-line deep packet inspection. Accordingly, such trusted flows bypassing the firewall avoid additional encryption, decryption, tunneling, and inspection, which can improve the latency and processing overhead of such flows. For example, such trusted flows may occur between internal endpoints and external endpoints via an ESG, but without going through the firewall, thereby reducing latency. Further, should the firewall become inoperable or otherwise inaccessible, such trusted flows between internal endpoints and external endpoints can continue without interruption (KANDASAMY, Para [0016])”.
Regarding Claim 9. The combination of CONWAY-Chang discloses the method of claim 1, however it does not explicitly teach but KANDASAMY from same or similar field of endeavor teaches, “wherein the indication that the edge device is not required to transmit a second part of the network traffic session to the non-edge device is a grant of suspended security review (KANDASAMY, Para [0047]: … In block 408, the one or more policies are sent to ESGs 104 in the enterprise WAN. Accordingly, ESGs 104 are configured with the one or more policies. Thus, when a VM 106 attempts to communicate with that particular destination, that connection need not be made via an encrypted tunnel to the third party firewall 112. For example, the ESGs 104 may apply the policy (e.g., as one or more rules) to bypass the third party firewall 112, meaning not apply the third party firewall 112 to the traffic to the particular destination …), the method further comprising:
setting, by the non-edge network device, a termination point of the grant of suspended security review (KANDASAMY, Para [0019-0022]: … In certain aspects, trust of a destination can age out, such as after a certain time period after determining the destination is trusted. Accordingly, after the time period, the ESG and/or orchestrator may be configured to again start communicating outbound flows via the firewall for the destination, and start the process again …); and
revoking, by the non-edge network device, the grant of suspended security review based at least in part on the termination point of the grant of suspended security review (KANDASAMY, Para [0019-0022]: … In certain aspects, trust of a destination can age out, such as after a certain time period after determining the destination is trusted. Accordingly, after the time period, the ESG and/or orchestrator may be configured to again start communicating outbound flows via the firewall for the destination, and start the process again …)”.
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of KANDASAMY into the combined teachings of CONWAY-Chang, because it discloses that, “The present disclosure provides techniques for allowing an ESG to breakout trusted flows with external endpoints, such that trusted flows can bypass the use of a firewall. In an example, the firewall is a third party next generation firewall, which is firewall that combines a traditional firewall with other network device filtering functions such as in-line deep packet inspection. Accordingly, such trusted flows bypassing the firewall avoid additional encryption, decryption, tunneling, and inspection, which can improve the latency and processing overhead of such flows. For example, such trusted flows may occur between internal endpoints and external endpoints via an ESG, but without going through the firewall, thereby reducing latency. Further, should the firewall become inoperable or otherwise inaccessible, such trusted flows between internal endpoints and external endpoints can continue without interruption (KANDASAMY, Para [0016])”.
Regarding Claim 15. This claim contains all the same or similar limitations as claim 6, and hence similarly rejected as claim 6.
Regarding Claim 16. This claim contains all the same or similar limitations as claim 9, and hence similarly rejected as claim 9.
Regarding Claim 19. This claim contains all the same or similar limitations as claim 6, and hence similarly rejected as claim 6.
Regarding Claim 20. This claim contains all the same or similar limitations as claim 9, and hence similarly rejected as claim 9.
Claims 7 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20120324533 A1 to CONWAY et al. (hereinafter “CONWAY”) in view of Pub. No.: US 20170099188 A1 to Chang et al. (hereinafter “Chang”) and of Pub. No.: US 20240244036 A1 to KANDASAMY et al. (hereinafter “KANDASAMY”), as applied to claim 6 above, and further in view of Pub. No.: US 20170331739 A1 to Sharma et al. (hereinafter “Sharma”).
Regarding Claim 7. The combination of CONWAY-Chang-KANDASAMY discloses the method of claim 6, however it does not explicitly teach but Sharma from same or similar field of endeavor teaches, “wherein the termination point is the end of the network traffic session (Sharma, FIG. 9, Para [0118-0119]: … If the traffic flow is not trusted (908), then the firewall can continue monitoring the traffic flow (916). If the traffic flow is trusted (908), then the firewall can redirect the traffic flow to a service appliance or the data traffic can be instructed to bypass the firewall (910). The firewall can periodically check on the traffic flow to ensure that the data packets are trusted. To do so, as the traffic flow continues, the firewall can have packets directed to the firewall to evaluate the traffic flow (912->906). If the traffic flow is over, then the firewall can monitor the traffic flow as normal (914) …)”.
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sharma into the combined teachings of CONWAY-Chang-KANDASAMY, because it discloses that, “In embodiments, the access control lists can be offloaded to a service appliance, such as during distributed denial of service (DDoS) attacks or dynamically for other security reasons. For example, a DDoS attack can overburden the firewall. By pushing the ACL to a service appliance supported switch, the firewall burden can be reduced by distributing at least some ACL enforcement responsibilities to the switch. In embodiments, the RISE protocol can install a policy-based routing (PBR) rule to redirect traffic based on dynamic ACL permissions (Sharma, Para [0117])”.
Claims 8 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20120324533 A1 to CONWAY et al. (hereinafter “CONWAY”) in view of Pub. No.: US 20170099188 A1 to Chang et al. (hereinafter “Chang”) and of Pub. No.: US 20240244036 A1 to KANDASAMY et al. (hereinafter “KANDASAMY”), as applied to claim 6 above, and further in view of Pub. No.: WO 2014042914 A1 to COOLEY (hereinafter “COOLEY”).
Regarding Claim 8. The combination of CONWAY-Chang-KANDASAMY discloses the method of claim 6, however it does not explicitly teach but COOLEY from same or similar field of endeavor teaches, “wherein the termination point is a defined number of bytes of the network traffic session (COOLEY, FIG. 3-4, Page [13-14]: … In some examples, one or more of the systems described herein may also 1) retrieve data from the hardware accelerator useful for determining whether a payload transfer (e.g., within the traffic flow) has been completed, 2) determine, based on the data, that the payload transfer has been completed, and 3) sample at least one additional packet from the traffic flow and analyzing the additional packet to reassess whether the traffic flow is trustworthy in response to determining that the payload transfer has been completed. In these examples, diversion module 1 12 may further 1) determine that the traffic flow is still trustworthy based on analyzing the additional packet and 2) divert the traffic flow back to the hardware accelerator in response to determining that the traffic flow is still trustworthy … For example, one or more of the systems described herein may identify an HTTP 1.1 request. These systems may then identify a response identifying a size of the requested resource. These systems may accordingly monitor the traffic flow (e.g., via a counter of the hardware accelerator) for a transfer of an amount of data corresponding to the size of the requested resource. These systems may thereby determine that the payload has been transferred, and that subsequent traffic within the traffic flow may include different, and potentially untrustworthy, content. Accordingly, these systems may divert the traffic flow back to the computing resource for a reassessment of the trustworthiness of the traffic flow …)”.
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of COOLEY into the combined teachings of CONWAY-Chang-KANDASAMY, because it discloses that, “systems may thereby determine that the payload has been transferred, and that subsequent traffic within the traffic flow may include different, and potentially untrustworthy, content. Accordingly, these systems may divert the traffic flow back to the computing resource for a reassessment of the trustworthiness of the traffic flow (COOLEY, Page [0013])”.
Pertinent Prior Arts
The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure.
US 20220337555 A1; Gol et al.: Gol discloses A firewall system provides two network paths for network flows: one path through a firewall on a host device and another path through an alternative hardware or software system that handles network flows that have been analyzed and allowed by the firewall. The firewall system can then transfer network flows between the two paths according to the status of each network flow.
US 20210385193 A1; Sayyed et al.: Sayyed discloses A method for configuring resources at an information handling system may include determining, during initialization, a wide area network (WAN) Internet Protocol (IP) address associated with the information handling system, and retrieving a list of trusted IP addresses from a storage location at the information handling system. The method may further include configuring a first resource at the information handling system to operate in a first state in response to determining that the WAN IP address is included at the list of trusted IP addresses, and configuring the first resource at the information handling system to operate in a second state in response to determining that the WAN IP address is not included at the list of trusted IP addresses.
In an embodiment, BIOS 172 can alert ME 192 that system 100 is connected to an untrusted network. ME 192 can be configured to provide various root-of-trust activities during initialization of system 100, and may continue to perform security, network transport, and other system operations during runtime. ME 192 can include access to network stack information, and thereby take part in implementation of policy 204. In still another embodiment, policy 204 can mandate that system 100 only boot to a Preboot Execution Environment (PXE), which is a client-server environment that boots a software assembly retrieved from a network. Remedial actions performed by BIOS 172 may not be visible to a user of information handling system 100. For example, BIOS 172 may initiate a network alert action with or without disrupting a user of system 100. System 200 may further be configured to adjust or override actions specified by policy 204 in response to receiving a waiver from authenticated security administrators. For example, a user may request to override actions specified by policy 204 before connecting to an untrusted network, or receive override permission from an IT service in response to a request by a user of system 100 after BIOS 172 has performed remediation specified by policy 204. In another embodiment, the policy 204 can be utilized to facilitate asset detection and recovery services in the case of theft of system 100.
US 20230403303 A1; Basu et al.: Basu discloses A method for managing a group of secured network devices. The method includes detecting, by a switchover agent operating in a secured network device of the group of secured network devices, a switchover between two supervisors operating in the secured network device, based on the detecting: generating a modified heartbeat packet, wherein the modified heartbeat packet comprises a suspension time that is significantly larger than a heartbeat interval, and sending the modified heartbeat packet to a second secured network device of the group of secured network devices.
A secured network device may operate using a control plane that includes two supervisors. Each supervisor may be stateful. Said another way, the state information maintained by each supervisor is periodically synchronized between the supervisors such that when there is a switchover (e.g., when the supervisors switch between active and standby states), the state information (discussed above) has been transferred to the new active supervisor prior to the switchover. In this manner, the switchover that occurs may be referred to as a stateful switchover.
US 12081517 B2; Brecl et al.: Brecl discloses security services to workloads deployed across various types of network environments, such as public networks, private networks, hybrid networks, customer premise network environments, and the like, by redirecting traffic intended for the service device through a security environment of the first network. After application of the security features to the incoming traffic, the “clean” traffic may be transmitted to the service device instantiated on the separate network via a tunnel. Redirection of incoming traffic to the security-providing first network may include correlating a network address of the service device to a reserved network address of a block of reserved addresses and updating a Domain Name Server (DNS) or other address resolving system with the reserved address. The return transmission tunnel may be established between the security environment and the network address of the service device.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364. The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached on (571)270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MAHABUB S AHMED/Examiner, Art Unit 2434
/TESHOME HAILU/Primary Examiner, Art Unit 2434