Cloud-based tunnel protocol systems and methods for multiple ports and protocols

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement(s) (IDS) submitted on 03/04/2024 was filed before the mailing date of this office action. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 6, 8, 10-13, 16, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over USPAT No. 9203851 B1 to Wang et al. (hereinafter “Wang”), US-PGPUB No. 2021/0092095 A1 to Kim et al. (hereinafter “Kim”), and further in view of US-PGPUB No. 2014/0197232 A1 to Birkler et al. (hereinafter “Birkler”) Regarding claim 1: Wang discloses: A non-transitory computer-readable medium storing computer-executable instructions (col 2, lines 32-34: “The software modules 110 comprise computer-readable program code stored non-transitory in the main memory 108 for execution by the processor 101.”, see Fig. 1, Main Memory 108, and Software Modules 110), and in response to execution by one or more processors, the computer-executable instructions cause the one or more processors to perform steps of: responsive to receiving a request at a remote node (Wang, col 3, lines 6-7: “… the on-premise gateway 220 receives data from a client 210 over a network connection”), determining whether the request is to be sent directly or via a cloud-based system (Wang, col 3, lines 10-13: “… and determines whether to redirect the data to the cloud scanner 230 for in-the-cloud scanning or to forward the data to a destination server 240 without in-the-cloud scanning.”); responsive to determining the request is to be sent via the cloud-based system (Wang, col 3, lines 53-54: “The redirection module 221 determines whether the data needs to be scanned in the cloud. If so, …”), [establishing a control channel of a tunnel] (Wang, col 6, lines 36-38: “… a watchdog or heartbeat status monitoring may be established between the on-premise gateway 220 and the cloud scanner 230 …”), […] However, Wang does not explicitly teach the following limitation taught by Kim: establishing a control channel of a tunnel (Kim, ¶87: “… creating a control flow between a trusted node 702 and a perimeter controller 704,”) […] utilizing a first encryption technique (Kim, ¶83: “A control flow may include an IPSec-encrypted tunnel that connects a perimeter controller and a trusted node to facilitate secure data transfer.”, see Fig. 7), wherein the tunnel is between the remote node and a local node (Kim, ¶83: “… an IPSec-encrypted tunnel that connects a perimeter controller and a trusted node ...”, see Fig. 7), and wherein the control channel includes a session identifier (Kim, ¶127: “… the controller 1104 may send an authentication session ID 1116 to the trusted source node 1102.”); and establishing a data channel of the tunnel (Kim, ¶56: “… a secure node flow may be established …”) utilizing a second encryption technique (Kim, ¶84: “A node flow may include an IPSec encrypted tunnel between a trusted node and a trusted perimeter gateway or with another trusted node where data is securely exchanged.”), It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Wang to incorporate the functionality of the method to establish a control flow between a source node and a perimeter gateway, and a node flow between the source node and a destination node, as disclosed by Kim, such modification would enable the system to facilitate secure data transfer between the source node and destination node. The combination of Wang and Kim does not explicitly disclose the following limitation taught by Birkler: wherein the data channel is bound to the control channel based on the session identifier (Birkler, ¶63: “… the session ID will be used by the server to identify and authenticate the user device 110. … Once the channels have been established, however, the user device 110 is able to send media and/or other data to device 130 using HTTP PUT messages via the data channel, and control commands to server 150 via the established control channel ...”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Wang and Kim to incorporate the functionality of the server to identify and authenticate a user device which is able to send media and/or other data to another device using HTTP PUT messages via a data channel, and control commands to the server via an established control channel, as disclosed by Birkler, such modification ensures that the data channel can only be used by the entity authorized on the control channel, and hence provides enhanced security. Regarding claim 2: The combination of Wang, Kim and Birkler discloses: The non-transitory computer-readable medium of claim 1, wherein the determining is based on any of a domain and a hostname of a destination associated with the request (Wang, col 3, lines 66-67 to col 4, lines 1-4: “… the redirection module 221 determines whether the data needs to be scanned in the cloud based on one or more redirection criteria, such as … the Uniform Resource Locator (URL) of the destination server 240,”). Regarding claim 3: The combination of Wang, Kim and Birkler discloses: The non-transitory computer-readable medium of claim 1, wherein the instructions further cause the one or more processors to perform the steps of: responsive to determining the request is to be sent directly, forwarding the request direct to the Internet (Wang, col 3, lines 60-64: “when the redirection module 221 determines that the data does not need to be scanned in the cloud, the redirection module 221 forwards the data directly to the intended destination of the data, i.e., the server 240, without going through the cloud scanner 230”, col 2, lines 57-59: “The plurality of servers 240 and the cloud scanner 230 are on the Internet in that they are accessible over the Internet.”). Regarding claim 6: The combination of Wang, Kim and Birkler discloses: The non-transitory computer-readable medium of claim 1, wherein the instructions further cause the one or more processors to perform the steps of: performing, over the control channel, device authentication and user authentication of one or more users associated with the remote node, wherein each of the one or more users includes a user identifier (Kim, ¶80: "An element may include an authentication server that may be responsible for the authorization of additional devices in the network.", ¶172: " the control flow can provide secure transmission of the terminal security information. Authentication requests (e.g., sending a user ID and passwords to an authentication server and receiving the results) may provide secure transmission of security information.", and ¶109: " controller may send user request credentials (e.g., a user identifier...) to an authentication server "); and subsequent to the device authentication and the user authentication, exchanging data packets over the data channel with each data packet including a corresponding user identifier (Kim, ¶118: "A trusted source node 1002 may transmit a data packet 1008 to a gateway 1004. The data packet may include IPSec and a flow ID. The security application on the trusted may add the flow ID and encrypt the packet using the keys provided This source node encrypted packet may be sent to the target gateway."). The same motivation which is applied to claim 1 with respect to Kim applies to claim 6. Regarding claim 8: The combination of Wang, Kim and Birkler discloses: The non-transitory computer-readable medium of claim 6, wherein the data packets are exchanged over the control channel (Birkler, ¶65: “Once both channels have been successfully established, server 150 receives control data and commands from device 110 via the control channel …”). The same motivation which is applied to claim 1 with respect to Birkler applies to claim 8. Regarding claim 10: The combination of Wang, Kim and Birkler discloses: The non-transitory computer-readable medium of claim 1, wherein the local node is part of a cloud-based security system (Birkler, col 3, lines 18-20: “The cloud scanner 230 may comprise one or more computers for scanning data for security threats. The cloud scanner 230 is “in-the-cloud” in that it is accessible over the Internet.”) wherein one or more users are connected thereto via the tunnel for firewall and Intrusion Prevention System (IPS) functions (Birkler, col 3, lines 21-23: “The cloud scanner 230 may be part of a conventional cloud scanning service, such as those provided by TREND MICRO, Inc”, Note: TREND MICRO, Inc cloud scanning services provide cloud firewall and IPS). The same motivation which is applied to claim 1 with respect to Birkler applies to claim 10. Regarding claims 11-13,16, 18 and 20: Claims 11-13,16, 18 and 20 recite substantially the same limitations as claims 1-3, 6, 8 and 10, respectively, in the form of a method implementing the corresponding functionality. Therefore, they are rejected by the same rationale. Claims 4-5 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over USPAT No. Wang, Kim, Birkler, and further in view of US-PGPUB No. 2019/0349337 A1 to Glazemakers et al. (hereinafter “Glazemakers”) Regarding claim 4: The combination of Wang, Kim and Birkler discloses the non-transitory computer-readable medium of claim 1, but fails to explicitly disclose the following limitation taught by Glazemakers: wherein the first encryption technique is one of Transport Layer Security (TLS) and Secure Sockets Layer (SSL) (Glazemakers, ¶115: “… may implement security protocols, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), …”), and the second encryption technique is one of TLS and Datagram Transport Layer Security (DTLS) (Glazemakers, ¶42: “The data travelling in the tunnels 181, 182 may further be protected by encryption, such as according to the … Transport Layer Security (or “TLS”) and/or Datagram Transport Layer Security (or “DTLS”).”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Wang, Kim and Birkler to incorporate the functionality of the system to implement different protocols to establish secure connections, using SSL/TLS, and encrypt the data traveling in the tunnel, using TLS/DTLS, as disclosed by Glazemakers, such modification would allow the system to provide communications privacy over networks using SSL, guarantee privacy and data integrity using TLS, and secure applications that are delay sensitive using DTLS. Regarding claim 5: The combination of Wang, Kim, Birkler and Glazemakers discloses: The non-transitory computer-readable medium of claim 4, wherein the first encryption technique is always a same one of TLS and SSL (Glazemakers, ¶115: "may implement security protocols, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS)"), and the second encryption technique is selected as the one of TLS and DTLS based on support of the remote node (Glazemakers, ¶42: "The data travelling in the TUNNEL may further be protected by encryption, such as according to the Internet Protocol Security (or "IPsec protocol,") Transport Layer Security (or "TLS") and/or Datagram Transport Layer Security (or "DTLS")."). The same motivation which is applied to claim 4 with respect to Glazemakers applies to claim 5. Regarding claims 14-15: Claims 14-15 recite substantially the same limitations as claims 4-5, respectively, in the form of a method implementing the corresponding functionality. Therefore, they are rejected by the same rationale. Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Wang, Kim, Birkler, and further in view of US-PGPUB No. 2020/0195439 A1 to Suresh et al. (hereinafter “Suresh”) Regarding claim 7: The combination of Wang, Kim and Birkler discloses the non-transitory computer-readable medium of claim 6, but fails to explicitly disclose the following limitation taught by Suresh: wherein the data packets include data packets between the remote node and the local node from various ports and having different protocols (Suresh, ¶118: "The header information and the payload of each packet may be generated in accordance with any number of communication protocols at any network stack layer ...", and ¶64: "Packet engine may manage kernel-level processing of packets received and transmitted by appliance via network stacks to send and receive network packets via network ports 266.". See also FIG. 2 'Network Ports 266'). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Wang, Kim and Birkler to incorporate the functionality of the packet engine to generate packets with any number of protocols and ports, as disclosed by Suresh, such modification would allow the system to switch to a different port/protocol without service interruption when the currently being used port/protocol is compromised, thus providing a highly available service. Regarding claim 17: Claim 17 recites substantially the same limitation as claim 7 in the form of a method implementing the corresponding functionality. Therefore, it is rejected by the same rationale. Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Wang, Kim, Birkler, and further in view of US-PGPUB No. 2019/0334705 A1 to Parimal et al. (hereinafter “Parimal”) Regarding claim 9: The combination of Wang, Kim and Birkler discloses the non-transitory computer-readable medium of claim 1, but fails to explicitly disclose the following limitation taught by Parimal: wherein the first encryption technique and the second encryption technique are different (Parimal, ¶14: “The first encrypted channel may be referred to herein as the “control channel.” and may use a first encryption key. Further, the second encrypted channel may be referred to herein as the “data channel,” and may use a second encryption key that is different from the first encryption key.”, ¶25-27: “The first key 320 may be used to establish a control channel … the first key 320 may use the Advanced Encryption Standard (AES)”, ¶29-31: “The transmission of the second encrypted data 365 may be referred to as a data channel. … the second key 330 may be a Transport Layer Security (TLS) key.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Wang, Kim and Birkler to incorporate the functionality of the method to encrypt a control channel with a first key using an Advanced Encryption Standard (AES), and to encrypt a data channel with a second key that is different from the first key using a Transport Layer Security (TLS), wherein, as disclosed by Parimal, such modification of using different encryption techniques provides improved security, performance, and operational flexibility, and ensures that a compromise in one area does not automatically expose the other, adheres to best practices of limiting key usage, and allows for optimization of performance vs. security based on the traffic type. Regarding claim 19: Claim 19 recites substantially the same limitation as claim 9 in the form of a method implementing the corresponding functionality. Therefore, it is rejected by the same rationale. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Simen et al. (US 20130227118 A1)- discloses a method comprising: receiving, via an application programming interface, an application inquiry, the application inquiry requesting a presence data for at least one mobile device; responsive to receiving said inquiry, obtaining network data from one or more network infrastructure nodes associated with providing service to the at least one mobile device; determining a response to the application inquiry based upon the network data; and providing the response via the application programming interface. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William R. Korzuch can be reached at (571)272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MATTHIAS HABTEGEORGIS/Examiner, Art Unit 2491