DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1. This action is responsive to the application filed on 07/16/2024.
2. Claims 1-20 are pending.
3. Claims 7, 10-15, 17, and 18 are objected.
4. Claims 1-20 are rejected.
Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 10/23/2024, 02/06/2025, 08/22/2025, 10/23/2025, and 11/19/2025 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Allowable Subject Matter
Claims 7, 10-15, 17, and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of Patent No. 11,616,781 and over claims 1-3, 6-11, 14-19, and 21-23 of Patent No. 12,238,103. Although the claims at issue are not identical, they are not patentably distinct from each other because they are both claiming common subject matter, handling communications using an air gap-based network isolation device.
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 18/ 773,972 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because they are both claiming common subject matter, establishing secure connections between firewalls and cloud.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 16-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the “system” claims are not a process, machine, manufacture, or composition of matter.
The claim lacks the necessary physical articles / objects / elements / components / structure / hardware to constitute a machine or a manufacture within the meaning of 35 USC 101. They are clearly not a series of steps or acts to be a process nor are they a combination of chemical compounds to be a composition of matter. Therefore, the claimed subject matter as a whole fails to fall within the definition of a process, machine, manufacture or composition of matter, patentable eligible category subject matter.
For more information regarding 35 U.S.C 101 please see MPEP 2106 and section of 2106 titled “Non-limiting examples of claims that are not directed to one of the statutory categories: vi. a computer program per se, Gottschalk v. Benson, 409 U.S. at 72.”
Examiner suggests coupling the system with sufficient structure such as a memory, CPU, etc.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
Such claim limitation(s) is/are:
“a centralized management platform configured to assign…”
in claim 16,
“the firewall connector configured to securely routing…”
in claim 16,
“the firewall connector configured to setting up…receiving…”
in claim 17,
“the firewall connector is further configured to changing…forwarding…”
in claim 18
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof (Specification of instant application, Fig 14, Paragraph 0186 – computer system description).
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1, 2, and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Dipak Kr. Das et al et al (US 20240146536 A1), hereinafter “Das”.
Regarding Claim 1, Das discloses a method for securely routing and controlling access of various types of traffic for one or more end-user devices (Das, Paragraphs 0004-0005, 0009, 0038, operating a computing platform to authenticate endpoint devices to an enterprise network (i.e., private network) including an authenticator for managing access for the endpoint devices and monitoring network traffic), the method comprising:
securely routing private application traffic from a first end-user device to a private network (Das, Paragraph 0039, a security management facility provides network access control for an endpoint device to access and use network connections including a VPN to transmit data), comprising:
receiving a first request by the first end-user device for verification by a Zero Trust Network Access (ZTNA) proxy (Das, Paragraph 0087, network device includes a zero trust network access gateway that provides secure connectivity for client devices, such as the endpoint 502, to a protected resource such as the enterprise resource. Paragraphs 0114-0116, endpoint device sends a request for authentication to the authenticator of the computing platform including a ZTNA gateway (proxy));
authenticating the first end-user device by the ZTNA proxy (Das, Fig 6, Paragraphs 0087, 0109, authenticating the endpoint device at step 632 by the ZTNA gateway);
based on a successful authentication, providing a unique session token to a firewall connector coupled with a network firewall (Das, Fig 6, Paragraphs 0107-0108, authenticating the endpoint device in step 632 by presenting an authentication token to the endpoint device at step 630 having a limited session time of use);
and establishing, by the firewall connector and a centralized management platform, a first connector tunnel for the private application traffic (Das, Paragraph 0039, providing access control to virtual private networks (VPN) (i.e., first connector tunnel), where VPNs may, for example, include communications networks tunneled through other networks and establishing logical connections acting as virtual networks. Paragraphs 0107-0108, access is provided based on validation of the challenge response being successful);
securely routing private network traffic from a second end-user device to the private network (Das, Paragraphs 0036, 0039, 0097, the security management facility provides network access control for users of devices (second) to access and use network connections including a VPN to transmit data (network traffic)), comprising:
receiving the private network traffic at the firewall connector coupled with the network firewall (Das, Fig 2, Paragraph 0058, streaming data through a firewall 10 of an enterprise facility);
inspecting the private network traffic based on rules related to network traffic at a transport level (Das, Paragraphs 0034-0038, 0044, scanning (inspecting) data transmitted to and from (transport level) the endpoint device with the enterprise (private network traffic) according to rules);
and upon successful inspection, establishing a second connector tunnel for the private network traffic (Das, Paragraph 0039, establishing a VPN (second connector tunnel) for the network traffic);
and filtering and monitoring Internet traffic for a third end-user device from the Internet or a Software-as-a-Service (SaaS) application (Das, Paragraphs 0033, 0058, 0075, filtering and monitoring Internet data from users of devices (third) by a SaaS application), comprising:
receiving a second request for the Internet traffic from the third end-user device (Das, Fig 7, Paragraphs 0033, 0087, 0114-0116, receiving an authorization request 720 (second) from the endpoint device 702 of users of devices (third) for Internet data);
filtering the Internet traffic using one or more security policies (Das, Paragraphs 0033, 0045, 0058, 0075, filtering Internet data from users of devices (third) using access rules and policies);
and after filtering, establishing a secure connection for the Internet traffic (Das, Paragraphs 0033, 0087, establishing a connection for operation in the ZTNA environment (secure) for the Internet data).
Regarding Claim 2, Das discloses the method of claim 1 above, wherein an access control service is a cloud-based service of the centralized management platform (Das, Fig 1, Paragraphs 0054, 0058, the threat management facility controls access to the enterprise facility in a cloud computing instance) wherein the method further comprising:
managing, by the centralized management platform, the access control service to provide administrators to manage and monitor end-user devices from a single interface, configure firewall policies, and view real-time reporting and analytics on network activity (Das, Paragraphs 0026, 0066, administrators can update and enforce policies for network access by users (manage and monitor end-user devices) through a user interface, controlling network traffic allowed to traverse firewalls. Paragraphs 0038, 0040, 0058, monitoring application activities).
Claim 20 carries similar limitations as discussed with regards to Claim 1 above and therefore is rejected for the same reason.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Das in view of Ashish Jain et al (US 20240064147 A1), hereinafter “Jain”.
Regarding Claim 3, Das discloses the method of claim 2 above, further comprising:
verifying, by the access control service, authorization of the first end-user device to access the private network (Das, Paragraphs 0110-0112, the threat management facility maintains continued authentication (verifying) of the endpoint device when accessing the enterprise network).
However, Das fails to explicitly disclose evaluating, by the access control service, device characteristics of the first end-user device; applying, by the access control service, configured application control policies based on the device characteristics; and evaluating, by the access control service, Zero Trust Network Access (ZTNA) policies based on the device characteristics and application configured application control policies.
Jain, from the same or similar field of endeavor, discloses evaluating, by the access control service, device characteristics of the first end-user device (Jain, Paragraphs 0070, 0077, an authentication and authorization engine (access control service) determining a location (characteristics) of the client computing device);
applying, by the access control service, configured application control policies based on the device characteristics (Jain, Paragraphs 0082-0083, access security policies for access to an application are based on user/client device location and/or client device type (characteristics);
and evaluating, by the access control service, Zero Trust Network Access (ZTNA) policies based on the device characteristics and application configured application control policies (Jain, Paragraph 0053, security service provides zero trust network access (ZTNA) by using ZTNA clients/servers. Paragraphs 0064-0065, remote continuous access evaluation (RCAE) of security policies based on application classification provided in ZTNA).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Das in view of Jain in order to further modify the method of network access using hardware-based security from the teachings of Das with the method of granular secure access to private resources from the teachings of Jain.
One of ordinary skill in the art would have been motivated for the purpose of increased granularity of security policies by evaluating Zero Trust Network Access 'ZTNA' policies based on the device characteristics and application configured application control policies (Jain – Paragraph 0003).
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Das in view of Jain and in further view of Shulman.
Regarding Claim 4, the combination of Das and Jain disclose the method of claim 3 above, where Das further discloses further comprising:
generating, by the access control service, the unique session token when the request is approved (Das, Paragraphs 0004, 0107-0108, generating the authentication token is suitable for transmitting verifiable information about the identity of the endpoint device (unique) and used to verifiably assert the identity of the endpoint device);
and where Das further discloses and forming, by the access control service, a connector tunnel that establishes a secure connection between the first end-user device and the private network (Das, Paragraph 0039, establishing, by the firewall of a threat management facility (access control service), a VPN (connector tunnel/secure connection) for the network traffic from the endpoint device).
However, the combination of Das and Jain fail to explicitly disclose further discloses providing, by the access control service, the unique session token to the firewall connector.
Shulman, from the same or similar field of endeavor, discloses further discloses providing, by the access control service, the unique session token to the firewall connector.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Das in view of Jain and in further view of Shulman in order to further modify the method of network access using hardware-based security from the teachings of Das and the method of granular secure access to private resources from the teachings of Jain with the method of securely detecting compromises of enterprise end stations from the teachings of Shulman.
One of ordinary skill in the art would have been motivated for the purpose of monitoring computer resource usage (Shulman – Paragraphs 0025, 0030).
Claims 5 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Das in view of Amichai Shulman et al (US 20170244672 A1), hereinafter “Shulman”.
Regarding Claim 5, Das discloses the method of claim 1 above, further comprising:
receiving a data packet from an access tier at the firewall connector, wherein the access tier receives the data packet from the second end-user device for the private network (Das, Paragraphs 0033, 0040, runtime monitoring is provided in a security agent (access tier) of an endpoint in the firewall for Internet communications).
However, Das fails to explicitly disclose assigning, by the centralized management platform, a unique source IP address to the second end-user device.
Shulman, from the same or similar field of endeavor, discloses assigning, by the centralized management platform, a unique source IP address to the second end-user device (Shulman, Paragraph 0080, the management server assigning IP addresses the electronic device).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Das in view of Shulman in order to further modify the method of network access using hardware-based security from the teachings of Das with the method of securely detecting compromises of enterprise end stations from the teachings of Shulman.
One of ordinary skill in the art would have been motivated for the purpose of monitoring computer resource usage (Shulman – Paragraphs 0025, 0030).
Regarding Claim 16, Das discloses a system for securely routing and controlling access of various types of traffic for one or more end-user devices (Das, Paragraphs 0004-0005, 0009, 0038, operating a computing platform to authenticate endpoint devices to an enterprise network (i.e., private network) including an authenticator for managing access for the endpoint devices and monitoring network traffic), the system comprising:
and a firewall connector coupled with a network firewall, the firewall connector configured to:
securely routing private application traffic from a first end-user device to a private network (Das, Paragraph 0039, a security management facility provides network access control for an endpoint device to access and use network connections including a VPN to transmit data), comprising:
receiving a request by the first end-user device for verification by a Zero Trust Network Access (ZTNA) proxy (Das, Paragraph 0087, network device includes a zero trust network access gateway that provides secure connectivity for client devices, such as the endpoint 502, to a protected resource such as the enterprise resource. Paragraphs 0114-0116, endpoint device sends a request for authentication to the authenticator of the computing platform including a ZTNA gateway (proxy));
authenticating the first end-user device by the ZTNA proxy (Das, Fig 6, Paragraphs 0087, 0109, authenticating the endpoint device at step 632 by the ZTNA gateway);
and establishing, with the centralized management platform, a first connector tunnel for the private application traffic (Das, Paragraph 0039, providing access control to virtual private networks (VPN) (i.e., first connector tunnel), where VPNs may, for example, include communications networks tunneled through other networks and establishing logical connections acting as virtual networks. Paragraphs 0107-0108, access is provided based on validation of the challenge response being successful);
securely routing private network traffic from a second end-user device to the private network (Das, Paragraphs 0036, 0039, 0097, the security management facility provides network access control for users of devices (second) to access and use network connections including a VPN to transmit data (network traffic)), comprising:
receiving the private network traffic at the firewall connector (Das, Fig 2, Paragraph 0058, streaming data through a firewall 10 of an enterprise facility);
inspecting the private network traffic based on rules related to network traffic at a transport level (Das, Paragraphs 0034-0038, 0044, scanning (inspecting) data transmitted to and from (transport level) the endpoint device with the enterprise (private network traffic) according to rules);
and upon successful inspection, establishing a second connector tunnel for the private network traffic (Das, Paragraph 0039, establishing a VPN (second connector tunnel) for the network traffic);
and filtering and monitoring Internet traffic for a third end-user device from the Internet or a Software-as-a-Service (SaaS) application (Das, Paragraphs 0033, 0058, 0075, filtering and monitoring Internet data from users of devices (third) by a SaaS application), comprising
receiving a request for the Internet traffic from the third end-user device (Das, Fig 7, Paragraphs 0033, 0087, 0114-0116, receiving an authorization request 720 (second) from the endpoint device 702 of users of devices (third) for Internet data);
and after the Internet traffic is filtered using one or more security policies, establishing a secure connection for the Internet traffic (Das, Paragraphs 0033, 0045, 0058, 0075, 0087, filtering Internet data from users of devices (third) using access rules and policies. Establishing a connection for operation in the ZTNA environment (secure) for the Internet data).
However, Das fails to explicitly disclose a centralized management platform configured to assign a unique source IP address to a respective end-user device; based on a successful authentication, providing a unique session token to the firewall connector coupled with a network firewall;
Shulman, from the same or similar field of endeavor, discloses a centralized management platform configured to assign a unique source IP address to a respective end-user device (Shulman, Paragraph 0080, the management server assigning IP addresses the electronic device);
based on a successful authentication, providing a unique session token to the firewall connector coupled with a network firewall (Shulman, Paragraphs 0029-0030, 0070, sending a token used by an authorized user for traffic (session) to an appropriate server, e.g. web application firewall, via a network connection);
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Das in view of Shulman in order to further modify the method of network access using hardware-based security from the teachings of Das with the method of securely detecting compromises of enterprise end stations from the teachings of Shulman.
One of ordinary skill in the art would have been motivated for the purpose of monitoring computer resource usage (Shulman – Paragraphs 0025, 0030).
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Das in view of Shulman in and in further view of Lawrence Edwin Menten (US 20070156911 A1), hereinafter “Menten” .
Regarding Claim 6, the combination of Das and Shulman disclose the method of claim 5 above, where Shulman discloses and forwarding, by the firewall connector, the data packet to a correct location on the private network (Shulman, Fig 2, Paragraph 0032, packets are directed to a destination address by a token tunnel server (firewall connector)).
However, the combination of Das and Shulman fail to explicitly disclose further comprising: changing, by the firewall connector, the unique source IP address or a destination IP address of the data packet.
Menten, from the same or similar field of endeavor, discloses further comprising:
changing, by the firewall connector, the unique source IP address or a destination IP address of the data packet (Menten, Paragraphs 0022, 0044, 0047, 0053, destination IP addresses and dynamically assigned (changing) and translated by the firewall; internet traffic (data packet) flows through the firewall).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Das in view of Shulman and further in view of Menten in order to further modify the method of network access using hardware-based security from the teachings of Das and the method of securely detecting compromises of enterprise end stations from the teachings of Shulman with the method of control of communication session attributes in network employing firewall protection.
One of ordinary skill in the art would have been motivated for the purpose of changing the destination IP address in order to control attributes/events associated with a communications session (Menten – Paragraphs 0001, 0008).
Claims 8 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Das in view of Sean McCord et al (US 20230254284 A1), hereinafter “McCord”.
Regarding Claim 8, Das discloses the method of claim 1 above.
However, Das fails to explicitly disclose wherein the second connector tunnel uses WireGuard peering.
McCord, from the same or similar field of endeavor, discloses wherein the second connector tunnel uses WireGuard peering (McCord, Paragraph 0056, the VPN network interface (connector tunnel) is a WireGuard secure transport connected to an ethernet network adapter).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Das in view of McCord in order to further modify the method of network access using hardware-based security from the teachings of Das with the method of building a mesh VPN in a hybrid of multi-cloud cluster from the teachings of McCord.
One of ordinary skill in the art would have been motivated for the purpose of implementing encrypted VPN s with high speed performance and low attack surface (McCord – Paragraph 0013).
Regarding Claim 19, this claimed limitation is the same as the limitation addressed to Claim 8 above. Therefore, it is rejected under the same rationale.
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Das in view of Ariel Gordon et al (CN 114616798), hereinafter “Gordon”.
Regarding Claim 9, Das discloses the method of claim 2 above.
However, Das fails to explicitly disclose further comprising: provisioning a child tenant associated with the first end-user device for a managed service provider; assigning customer access rights to the child tenant; and managing product licenses for the child tenant.
Gordon, from the same or similar field of endeavor, discloses further comprising:
provisioning a child tenant associated with the first end-user device for a managed service provider (Gordon, Paragraphs 0041-0047, provision user accounts with appropriate access for users across multiple tenants for a SaaS provider; the user account having a first tenant and a second tenant with nested access rights (child));
assigning customer access rights to the child tenant (Gordon, Paragraph 0046, providing access rights to resources in the second tenant (child));
and managing product licenses for the child tenant (Gordon, Paragraph 0051, performing a nested access rights check to determine whether the user has a valid license).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Das in view of McCord in order to further modify the method of network access using hardware-based security from the teachings of Das with the method of building a mesh VPN in a hybrid of multi-cloud cluster from the teachings of McCord.
One of ordinary skill in the art would have been motivated for the purpose of implementing encrypted VPN s with high speed performance and low attack surface (McCord – Paragraph 0013).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. All the references listed on 892 are related to the subject matter of establishing secure connections between firewalls and cloud.
Some of the prior art include:
US 20230388275 A1, US 20200336484 A1, and US 11943195 B1.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAVIER O GUZMAN whose telephone number is (571)270-0588. The examiner can normally be reached Monday - Friday 8 am to 4 pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian J Gillis can be reached at 571-272-7952. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JAVIER O GUZMAN/ Primary Examiner, Art Unit 2446