DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending for examination in the instant application.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/11/2024 and 01/06/2025 is/are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
As to claims 18-20, The claims are drawn to a “computer readable medium”. The specification does not give a controlling definition that excludes signals from the claimed term "computer-readable medium". Thus, applying the broadest reasonable interpretation in light of the specification paragraph [0272-0279], and taking into account the meaning of the words in their ordinary usage as they would be understood by one of the ordinary skilled in the art (MPEP 2111), the claim as a whole cover both transitory and non–transitory media. A transitory medium does not fall into any of the 4 categories of invention (process, machine, manufacture, or composition of matter).
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Miriyala et al. (Pat. No.: US 11700236 B2), hereinafter “Miri”.
As to claim 1. A method to perform zero trust packet routing in one or more networks, the method comprising:
accessing a policy that specifies how traffic flows through the one or more networks, wherein policy statements of the policy reference tags associated with resources of the one or more networks, wherein the tags include one or more of a first tag that identifies first data, a second tag that identifies an identity of a user, a third tag that identifies an identity of a computing resource, a fourth tag that identifies an identify of a network (Miri, (column 2, line13 to 26: "a centralized controller (e.g., Software Defined Networking (SDN) controller) provides network function virtualization for a multi-tenant virtualized data center to steer network traffic of virtualized application workloads to a NGFW, such as a host-based filter (HBF). For example, a user may use the SDN controller to specify a policy to control network traffic of a virtualized application workload. The policy is expressed in terms of one or more tags that categorize one or more objects of a data model for the application workload to control network traffic between the tagged objects. For instance, a user may tag objects as applications (e.g., human resource application, finance application, sales application, etc.), application tiers (e.g., web, application, database), and other categorizations" and column 6, lines 26-33: "As described herein, a "tag" may refer to information used to categorize an object of a data model for an application workload according to a particular value or set of values. Tags may, in some examples, categorize an object based on application type, application tier (e.g., web tier, application tier, database tier), deployment (e.g., development, QA, staging, or production stage), geographic site, user, or compliance. As one example, a user may tag objects of a finance application workload, such as applications (e.g., application=finance), application tiers (e.g., tier=web, tier=application)");
determining, based on the policy, rules to enforce at enforcement points within the one or more networks (Miri, (column 8, lines 1-34: "In the example of FIG. 1, the policy framework enables administrator 24 to further define the security policies to redirect network traffic to HBFs 11 to utilize functions of HBFs 11 such as IPS, IDS, AV, malware detection, and other security functions. In other words, policy controller 25 is used to manage virtual network constructs to direct traffic to HBFs 11. As one example; administrator 24 may use policy controller 25 to define a security policy to direct traffic from a web tier to an application tier of the finance application workload, and then to redirect the traffic to HBF 11A. In this example, administrator 24 may use policy controller 25 to define the security policy as: Tier=Web Tier=App all traffic to HBF. Policy controller 25 may push the security policy to distributed policy agents executing on computing devices, e.g., servers 12, that host the finance application workload. The policy agent for server 12A may apply the security policies to tagged objects that are members of categories (e.g., tier=web, tier=application) of the finance application workload to redirect traffic to HBF 11A. The policy agent for server 12A may map the tags to ports ("tags-to-port mappings") of virtual execution elements that implement the HBF. Administrator 24 (or another user) may, in some instances, use different controller that manages HBF 11A, e.g., security controller 27, to specify a function (e.g., firewall policy) of HBF 11A to be applied to network traffic of the finance application workload. Although policy controller 25 and security controller 27 is illustrated in the example of FIG. 1 as separate controllers, policy controller 25 and security controller 27 may in some instances be a single controller that manages virtual network constructs and firewall policies of HBFs 11");
distributing the rules to the enforcement points within the one or more networks (Miri, (column 8, lines 15-24: "Policy controller 25 may push the security policy to distributed policy agents executing on computing devices, e.g., servers 12, that host the finance application workload. The policy agent for server 12A may apply the security policies to tagged objects that are members of categories (e.g., tier=web, tier=application) of the finance application workload to redirect traffic to HBF 11A. The policy agent for server 12A may map the tags to ports ("tags-to-port mappings") of virtual execution elements that implement the HBF" and column 11, lines 53-59: "Policy controller 25 further distributes, to respective policy agents 139 of VN agents 35, the one or more security policies. Each security policy includes one or more policy rules for controlling network traffic, such as between virtual networks 34 and to redirect traffic to a host-based filter implemented in one of VMs 36. Each policy rule specifies one or more tags, each tag further specifying one or more dimensions of the categories."); and
enforcing the rules associated with the policy at individual ones of the enforcement points, wherein enforcing the rules includes evaluating one or more layer 4 attributes and one or more layer 7 attributes (Miri, (column 7, lines 60-67: "network system 2 provides a policy framework to enable users to define tag- based policies to integrate host-based services, such as HBFs 11 (e.g., L7 firewalls) with L4 firewalls. In the example of FIG. 1, HBF 11A is implemented on a virtual execution element (e.g., VM or container) hosted on server 12A. Similarly, HBF 11N is implemented on a virtual execution element hosted on server 12N' and column 9, lines 27-42: "Administrator 24 may use security controller 27 to specify a function of HBF 11A (e.g., anti-virus) to be applied to traffic of the sales application workload. In some examples, security controller 27 may learn the tenants and tags from policy controller 25 such that administrator 24 may use security controller 27 to configure one or more firewall policies for HBF 11A for the sales application workload. For example, security controller 27 may obtain information from SDN controller 23 the configuration information for an application workload running on servers 12. For example, security controller 27 may communicate with policy controller 25 to learn about tenants, virtual networks, VMs belonging to the virtual networks, and any associated tags for the sales application workload, and uses the information about tenants and tags to configure firewall policies for the HBF").
As to claim 2. Miri discloses the invention as in parent claim above including, wherein the enforcement points include network virtualization devices (NVDs) that include smartNICs and virtual interfaces that include gateways (Miri, fig.2, 3 col.21, lines 15-20, Virtual router forwarding plane 528 executes the “forwarding plane” or packet forwarding functionality of the virtual router 520 and VN agent 535 executes the “control plane” functionality of the virtual router 520. VN agent 535 may represent an example instance of any of VN agents 35 of FIG. 2-3).
As to claim 3. Miri discloses the invention as in parent claim above including, wherein enforcing the rules comprises enforcing the rules prior to a transmission of the packet to a next hop (Miri, fig.1, col.8, lines 1-5, In the example of FIG. 1, the policy framework enables administrator 24 to further define the security policies to redirect network traffic to HBFs 11 to utilize functions of HBFs 11 such as IPS, IDS, AV, malware detection, and other security functions.).
As to claim 4. Miri discloses the invention as in parent claim above including, receiving a packet at an enforcement point; and wherein enforcing the rules comprises: performing one or more rules at the enforcement point; and preventing the packet from transmission to a next hop based on a failure of at least one of the one or more rules (Miri, col.7, lines 20-50, NFGWs, such as HBFs 11A-11N (collectively, “HBFs 11”), may provide functions, such as Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), anti-virus (AV), malware detection, and other security functions.).
As to claim 5. Miri discloses the invention as in parent claim above including, receiving a packet at an enforcement point; determining a source of the packet; determining a destination of the packet; and wherein enforcing the rules includes preventing the packet from transmission to a next stop based, at least in part, on one or more of the source or the destination (Miri, col.7, lines 20-29, Administrator 24 may use the tags to control traffic of the sales application workload to direct traffic from a web tier to an application tier, which is then directed to a database tier. Tagged objects of the sales application workload may be used to define a security policy for the traffic, such as whether to allow or deny the traffic. SDN controller 23 may send the tag-based security policies and routing instances to servers 12 using, for example, XMPP, which installs a forwarding state into the forwarding plane of virtual routers 13.) .
As to claim 6. Miri discloses the invention as in parent claim above including, associating the packet with an origin identifier prior to transmission to a next hop (Miri, col.7, lines 20-25, administrator 24 may use a policy controller 25 of the SDN controller 23 to define tags for objects of a finance application workload. For the finance application workload, administrator 24 may define an application tag (e.g., application=finance) and application tier tags (e.g., tier=web and tier=application). Administrator 24 may use the tags to control traffic of the finance application workload, such as to direct traffic from a web tier to an application tier).
As to claim 7. Miri discloses the invention as in parent claim above including, wherein determining the rules to enforce at enforcement points within the network comprises analyzing the policy and generating the rules for the enforcement points based on the analyzing (Miri, col.11, lines 55-61 and col.9, lines 24-42, security controller 27 may communicate with policy controller 25 to learn about tenants, virtual networks, VMs belonging to the virtual networks, and any associated tags for the sales application workload, and uses the information about tenants and tags to configure firewall policies for the HBF.).
As to claim 8. Miri discloses the invention as in parent claim above including, wherein, at each network hop, an individual one of the enforcement points performs the rules received from a zero trust access services (Miri, col.8, lines 1-34, administrator 24 may use policy controller 25 to define another firewall policy for different traffic of the finance application workload. For example, administrator may define a firewall policy for HBF 11A to provide malware detection for HTTP traffic of the finance application workload, as shown below: Tier=Web.fwdarw.Tier=App service HTTP to malware detection.).
As to claim 9. Miri discloses the invention as in parent claim above including, wherein enforcing the rules associated with the policy comprises generating an alert based on a failure of at least one of the rules (Miri, col.16, lines 30-40. Additionally, it is well known and customary in the art to generate failing function warnings, status, notifications alert as evident by Gupta et al. (Pub. No.: US 2009/0010171 A1, fig. 4, [0022]).
As to claims 10 and 18 are rejected for same rationale as applied to claim 1 above.
As to claim 11 and 19, are rejected for same rationale as applied to claim 2 above.
As to claim 12 and 20, is rejected for same rationale as applied to claim 3 above.
As to claim 13, is rejected for same rationale as applied to claim 4 above.
As to claim 14, is rejected for same rationale as applied to claim 5 above.
As to claim 15, is rejected for same rationale as applied to claim 6 above.
As to claim 16, is rejected for same rationale as applied to claim 7 above.
As to claim 17, is rejected for same rationale as applied to claim 8 above.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Please see the attached PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAUQIR HUSSAIN whose telephone number is (571)270-1247. The examiner can normally be reached M-F 7:00 - 8:00 with IFP.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian J Gillis can be reached at 571 272-7952. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Tauqir Hussain/Primary Examiner, Art Unit 2446