Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 remain for examination. Claims 1-17 has been amended. Claims 18-20 have been added. Applicant's arguments filed on 03/19/2026 have been fully considered but they are moot in view of the new ground(s) of rejection necessitated by the amendments. Accordingly, this action has been made final.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-17 are rejected under 35 U.S.C. 103 as being unpatentable over Lam US 20190089678 A1, in view of PRUSS US 20100131750 A1; in further view of Crawford US 20110225646 A1.
As to claim 1, Lam discloses a firewall provided between an external network and an internal network, the firewall and/or security appliance comprising (Lam Pa. [0095]) [network architecture for providing fine-grained policy enforcement and/or outbound/inbound lateral traffic punting based upon process risk in accordance… a network device 302 (e.g., a data appliance, such as similarly described above with respect to FIG. 2). In one embodiment, the network device 302 includes a firewall 312 (e.g., a firewall component that can be implemented in software executed on a hardware processor of the network device]: a memory configured to store a plurality of programmable instructions; and a processing device in communication with the memory, wherein the processing device, upon execution of the plurality of programmable instructions is configured to (Lam Pa. [0014]) [a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques]: receive or transmit inbound messages of network traffic between the external network and the internal network at an external port connected to the external network (Lam Pa. [0017]) [a firewall can filter inbound traffic by applying a set of rules or policies to prevent unwanted outside traffic from reaching protected devices], wherein the external network includes at least one external module that is capable of supporting or configured to support at least one secure protocol (Lam Pa. [0020]) [Application layer filtering firewalls or application firewalls can generally identify certain applications and protocols (e.g., web browsing using HyperText Transfer Protocol (HTTP), a Domain Name System (DNS) request, a file transfer using File Transfer Protocol (FTP), and various other types of applications and other protocols]; receive or transmit outbound messages of the network traffic at an internal port connected to the internal network (Lam Pa. [0017]) [A firewall can also filter outbound traffic by applying a set of rules or policies (e.g., allow, block, monitor, notify, log, and/or other actions can be specified in firewall rules or firewall policies, which can be triggered based on various criteria, such as described herein)], wherein the internal network includes a plurality of internal modules, at least one of which is not capable of supporting or configured to support the at least one secure protocol (Lam Pa. [0020]) [Application layer filtering firewalls or application firewalls can generally identify certain applications and protocols (e.g., web browsing using HyperText Transfer Protocol (HTTP), a Domain Name System (DNS) request, a file transfer using File Transfer Protocol (FTP), and various other types of applications and other protocols]; provide firewall and/or security protection for filtering and monitoring the network traffic; for an inbound message received at the external port from a source external module of the at least one external module (Lam Pa. [0085]) [FIG. 1 is a diagram of an architecture of a network device that can be used for providing fine-grained policy enforcement and/or outbound/inbound lateral traffic punting based upon process risk in accordance with some embodiments. As shown in FIG. 1, network traffic is monitored at a firewall 100. In one embodiment, network traffic is monitored using a network device, such as a data appliance (e.g., a data appliance that includes security functions, such as a security device/appliance that includes a firewall)]
It is noted that Lam does not appear explicitly disclose remove one or more of encryption or first applicable security aspects of the at least one secure protocol before transmitting the inbound message via the internal port to a destination internal module of the plurality of internal modules and for an outbound message received at the internal port from a source internal module of the plurality of internal modules, add one or more of encryption or second applicable security aspects of the at least one secure protocol before transmitting the outbound message via the external port to a destination external module of the at least one external module.
However, PRUSS discloses remove one or more of encryption or first applicable security aspects of the at least one secure protocol before transmitting the inbound message via the internal port to a destination internal module of the plurality of internal modules (PRUSS Pa. [0009]) [The cryptographic system decrypts inbound messages…The inbound ciphertext message is decrypted using the encryption algorithm and key to form an inbound plaintext message. As the IP stack (and other unprotected software modules) has no contact with the keys for at least one encryption, the risk of compromise of sensitive data is minimized...The inbound ciphertext message is decrypted using the encryption algorithm and key to form an inbound plaintext message] and for an outbound message received at the internal port from a source internal module of the plurality of internal modules, add one or more of encryption or second applicable security aspects of the at least one secure protocol before transmitting the outbound message via the external port to a destination external module of the at least one external module (PRUSS Pa. [0009]) [The cryptographic system encrypts outbound messages …The encrypted outbound ciphertext message is then sent to its destination]
Thus, before the effective filing date of the claimed invention, it would have been recognized by one of ordinary skill in the art, that applying the known technique taught by PRUSS to the code programing of Lam would have yield predictable results and resulted in an improved system, namely, a system that would provide a secure gateway between networks in which commercial software components are used (PRUSS Pa. [0001])
Furthermore, it is noted that the combination of Lam and PRUSS does not appear explicitly disclose based on the destination internal module being incapable of supporting or not configured to support the at least one secure protocol; based on the source internal module being incapable of supporting or not configured to support the at least one secure protocol.
However, Crawford discloses based on the destination internal module being incapable of supporting or not configured to support the at least one secure protocol (Crawford Pa. [0057]) [Non-compliant connections are rejected at step 909. The allowed connections are checked against a list of service protocols supported by the proxy 107, see step 905. Content formatted according to non-supported protocols is sent directly to the destination at step 908.]; based on the source internal module being incapable of supporting or not configured to support the at least one secure protocol (Crawford Fig. 5-6, Pa. [0051-0052]) [The shown interface 500 is organized in a tabular form with each of the rows 501, 502 and 503 corresponding to firewall policies with policy identification numbers 1, 2 and 5, respectively. Parameters in columns 504, 505 and 507 specify source network address, destination network address and transmission protocol to which specific listed policy is made applicable. Column 506 specifies when the specific policy has effect. Column 508 contains settings specifying how the corresponding network traffic should be handled. The configuration scheme for each effective policy is specified in column 509. The network administrator is provided with an option to enable or disable any specific policy and to modify or delete it, see columns 510 and 511; note: Fig. 5 shows the type of protocol supported or non-supported by respective source]
Thus, before the effective filing date of the claimed invention, it would have been recognized by one of ordinary skill in the art, that applying the known technique taught by Crawford to the code programing of Lam and PRUSS would have yield predictable results and resulted in an improved system, namely, a system that would provide application-level content processing of network service protocols using a firewall. (Crawford Pa. [0004])
As to claim 2, the combination of Lam and PRUSS discloses wherein the processing device, upon execution of the plurality of programmable instructions, is further configured to: store, in association with identification of each of the plurality of internal modules, an indication of a security capability of each of the plurality of internal modules for supporting the at least one secure protocol (PRUSS Pa. [0011]) [The IP stack 104 is a software implementation of a computer networking protocol suite and has a native (i.e., programmed) Application Programming Interface (API) that is able to provide a minimum level of security for messages. The IPSec gateway 100 of FIG. 1 uses the native API of the IP stack 104 to prevent security breaches without resorting to a specialized arrangement in which all security operations are performed by separate components]; determine security capability of the destination internal module identified in each inbound message (Lam Pa. [0103]) [Application identification and user identification (APP ID) module 512 is configured to determine what type of traffic/protocol the session involves and to identify a user associated with the traffic flow for providing app/user control and content control for performing the disclosed techniques for providing fine-grained policy enforcement and/or outbound/inbound lateral traffic punting based upon process risk (e.g., as similarly described above with respect to APP ID and user ID check component 108 of FIG. 1)]; and remove one or more of the encryption and/or the first applicable security aspects before transmitting the inbound message via the internal port to the destination internal module only if the determination of the security capability is that the destination internal module has inadequate security capability for processing the inbound message with one or more of the encryption and/or the first security aspects (PRUSS Pa. [0009]) [The cryptographic system decrypts inbound messages…The
inbound ciphertext message is decrypted using the encryption algorithm and key to form an inbound plaintext message. As the IP stack (and other unprotected software modules) has no contact with the keys for at least one encryption, the risk of compromise of sensitive data is minimized...The inbound ciphertext
message is decrypted using the encryption algorithm and key to form an inbound plaintext message]
Thus, before the effective filing date of the claimed invention, it would have been recognized by one of ordinary skill in the art, that applying the known technique taught by PRUSS to the code programing of Lam would have yield predictable results and resulted in an improved system, namely, a system that would provide a secure gateway between networks in which commercial software components are used (PRUSS Pa. [0001])
As to claim 3, the combination of Lam and PRUSS discloses wherein the processing device, upon execution of the plurality of programmable instructions, is further configured to: store in association with identification of each of the plurality of internal modules an indication of a security capability of each of the plurality of the internal modules for supporting the at least one secure protocol (PRUSS Pa. [0011]) [The IP stack 104 is a software implementation of a computer networking protocol suite and has a native (i.e., programmed) Application Programming Interface (API) that is able to provide a minimum level of security for messages. The IPSec gateway 100 of FIG. 1 uses the native API of the IP stack 104 to prevent security breaches without resorting to a specialized arrangement in which all security operations are performed by separate components]; determine a security capability of a source module of the plurality of internal modules identified in each outbound message (Lam Pa. [0103]) [Application identification and user identification (APP ID) module 512 is configured to determine what type of traffic/protocol the session involves and to identify a user associated with the traffic flow for providing app/user control and content control for performing the disclosed techniques for providing fine-grained policy enforcement and/or outbound/inbound lateral traffic punting based upon process risk (e.g., as similarly described above with respect to APP ID and user ID check component 108 of FIG. 1)]; and add one or more of the encryption or the second applicable security aspects before transmitting the outbound message via the external port to the destination external module of the at least one external module only if the determination of the security capability is that the source internal module has inadequate security capability for providing one or more of the outbound message with the encryption or the first applicable security aspects (PRUSS Pa. [0009]) [The cryptographic system encrypts outbound messages …The encrypted outbound ciphertext message is then sent to its destination]
Thus, before the effective filing date of the claimed invention, it would have been recognized by one of ordinary skill in the art, that applying the known technique taught by PRUSS to the code programing of Lam would have yield predictable results and resulted in an improved system, namely, a system that would provide a secure gateway between networks in which commercial software components are used (PRUSS Pa. [0001])
As to claim 4, the combination of Lam and PRUSS discloses wherein the external network/zone and the internal network are included within an operational technologies (OT) system (Lam Fig. 2-3]) (operational technologies system of fig. 2-3)
As to claim 5, the combination of Lam and PRUSS discloses wherein the at least one external module includes one or more of a supervisory and/or control module or one or more other modules that are not included in the internal network (Lam Pa. [0088]) [firewall policies can be applied to the monitored network traffic using application identification, user identification, content identification (e.g., APP ID and user ID check component 108 can also include a content ID component as an integrated distinct component of firewall 100, in which the content ID component can provide real-time content scanning, such as for monitoring and/or controlling file transfer activities), and/or other information to match signatures (e.g., file-based, protocol-based, and/or other types/forms of signatures for detecting malware or suspicious behavior).]
As to claim 6, the combination of Lam and PRUSS discloses wherein the plurality of internal modules are operational-technology (OT) modules (PRUSS Pa. [0010]) [Portions of the MPU 150 memory that contain at least some of these software modules are areas of protected memory that are protected from being accessed except by predetermined processes/threads, software modules or secure devices using hardware designed for this purpose. Protecting portions of the memory is a standard function provided by many operating systems (OSs). For example, the inbound and outbound Crypo modules 110]
Thus, before the effective filing date of the claimed invention, it would have been recognized by one of ordinary skill in the art, that applying the known technique taught by PRUSS to the code programing of Lam would have yield predictable results and resulted in an improved system, namely, a system that would provide a secure gateway between networks in which commercial software components are used (PRUSS Pa. [0001])
As to claims 7-9, claims 7-9 recite the claimed that contain respectively similar limitations as claims 1-3; therefore, they are rejected under the same rationale.
As to claims 10-11, claims 10-11 recite the claimed that contain respectively similar limitations as claims 5-6; therefore, they are rejected under the same rationale.
As to claims 12-14, claims 12-14 recite the claimed that contain respectively similar limitations as claims 1-3; therefore, they are rejected under the same rationale.
As to claims 15-17, claims 15-17 recite the claimed that contain respectively similar limitations as claims 4-6; therefore, they are rejected under the same rationale.
As to claims 18-20, the combination of Lam, PRUSS and Crawford discloses wherein the firewall is supported by a security appliance with a firewall-type capability (Crawford Pa. [0039]) [physical network interfaces 102 and 103, and the aforesaid networking subsystem 106, which may be implemented as a part of the kernel of the operating system of the firewall appliance 101]; wherein the external network is an external network or zone (network/zone) and the internal network is an internal network/zone (Crawford Fig. 5, ID-501); wherein the firewall is supported by a security appliance with a firewall-type capability (Crawford Pa. [0039]) [physical network interfaces 102 and 103, and the aforesaid networking subsystem 106, which may be implemented as a part of the kernel of the operating system of the firewall appliance 101]
Thus, before the effective filing date of the claimed invention, it would have been recognized by one of ordinary skill in the art, that applying the known technique taught by Crawford to the code programing of Lam and PRUSS would have yield predictable results and resulted in an improved system, namely, a system that would provide application-level content processing of network service protocols using a firewall. (Crawford Pa. [0004])
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EVANS DESROSIERS whose telephone number is (571)270-5438. The examiner can normally be reached Monday -Friday 8:00 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Korzuch can be reached at (571)272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/EVANS DESROSIERS/ Primary Examiner, Art Unit 2491