before the patent trial and appeal board sophos …1008 astaro security linux v5 webadmin user...

UNITED STATES PATENT AND TRADEMARK OFFICE

BEFORE THE PATENT TRIAL AND APPEAL BOARD

SOPHOS LIMITED AND SOPHOS INC., Petitioners

v.

FORTINET, INC., Patent Owner

U.S. Patent No. 7,966,654

Filing Date: November 22, 2005 Issue Date: June 21, 2011

Title: Computerized System and Method for Policy-Based Content Filtering

Inter Partes Review No.: (Unassigned)

PETITION FOR INTER PARTES REVIEW OF U.S. PATENT NO. 7,966,654

UNDER 35 U.S.C. §§ 311-319 AND 37 C.F.R. §§ 42.1-80, 42.100-123

TABLE OF CONTENTS

Page

-i-

I. COMPLIANCE WITH FORMAL REQUIREMENTS ................................. 1

A. Mandatory Notices Under 37 C.F.R. §§ 42.8(b)(1)-(4) ....................... 1

1. Real Party-In-Interest ................................................................. 1

2. Related Matters .......................................................................... 1

3. Lead and Backup Counsel ......................................................... 1

4. Service Information.................................................................... 2

B. Proof of Service on the Patent Owner .................................................. 2

C. Power of Attorney ................................................................................ 2

D. Standing ................................................................................................ 2

E. Fees ....................................................................................................... 3

II. STATEMENT OF PRECISE RELIEF REQUESTED .................................. 3

III. FULL STATEMENT OF REASONS FOR REQUESTED RELIEF ............ 4

A. Technology Background ...................................................................... 4

B. Summary of the ’654 Patent ................................................................. 4

C. Person of Ordinary Skill in the Art ...................................................... 5

D. Claim Construction .............................................................................. 5

E. Ground 1: Claims 1, 3, 4, 10, 12, 13, 14, 18 and 22 are Obvious under 35 U.S.C. § 103(a) (pre-AIA) in view of Taylor ....................... 6

F. Ground 2: Claims 1, 3, 10, 12, 13, 14 and 22 are Obvious under 35 U.S.C. § 103(a) (pre-AIA) in light of Sonnenberg ....................... 29

G. Ground 3: Claims 19, 20, and 28 are Obvious under 35 U.S.C. § 103(a) (pre-AIA) in light of Taylor in view of Astaro ....................... 50

H. Ground 4: Claims 4, 18-20, and 28 are Obvious under 35 U.S.C. § 103(a) (pre-AIA) in light of Sonnenberg in view of Astaro ................................................................................................. 55

IV. CONCLUSION ............................................................................................. 60

i

EXHIBIT LIST

Exhibit No. Description

1001 U.S. Patent No. 7,966,654 B2

1002 File history of U.S. Patent No. 7,966,654 B2

1003 Fortinet, Inc.’s Answer, Affirmative Defenses, and Counterclaims,

Sophos Ltd. et al v. Fortinet, Inc., No. 14-cv-00100-GMS (D.Del.)

1004 Certificate of Service, Sophos Ltd. et al v. Fortinet, Inc., No. 14-cv-

00100-GMS (D.Del.)

1005 U.S. Patent No. 7,966,654, Infringement Contentions Pursuant to

Section 4(C)

1006 U.S. Patent No. 6,728,885 B1

1007 U.S. Patent No. 7,076,650 B1

1008 Astaro Security Linux V5 WebAdmin User Manual

1009 Declaration of Charles P. Pfleeger

1010 U.S. Patent No. 6,167,445

1011 U.S. Patent No. 6,574,661 B1

1012 U.S. Patent No. 6,606,708 B1

1013 U.S. Patent No. 7,284,267 B1

1014 U.S. Patent No. 7,171,440 B2

ii


1015 U.S. Patent No. 5,835,726

1016 Computer Networks 4th edition, Andrew S. Tannenbaum, Prentice

Hall, 2003

1017 Security in Computing 3rd edition, Charles P. Pfleeger and Shari

Lawrence Pfleeger, Prentice Hall, 2003

1018 Advanced Programming Techniques, Hughes, C., et al, Wiley, 1978

1019 “A Network Firewall,” Ranum, M., Proceedings of the

International Conference on Systems and Network Security and

Management (SANS-1)”, November 1992

1020 “A Toolkit and Methods for Internet Firewalls,” Ranum, M. and

Avolio, F., Proceedings Usenix Security Symposium, 1994

1021 “Robust TCP Stream Reassembly In the Presence of Adversaries,”

Dharmapurikar, S. and Paxson, V., Proceedings Usenix Security

Symposium, 2005

1022 “RFC 793 Transmission Control Protocol,” Information Sciences

Institute, University of Southern California, September 1981

1023 “Guidelines on Firewalls and Firewall Policy,” NIST [National

Institute of Standards and Technology] Special Publication 800-41,

iii


Jan 2002

1024 “Six Dumbest Ideas in Computer Security,” Ranum, M., Schneier

on Security Blog, 9 September 2005. https://www.schneier.com/

blog/archives/2005/09/marcus_ranums_t.html

1025 Cybersecurity Operations Handbook, Rittinghouse, J. and

Hancock, W., Elsevier, 2003

1

Real parties in interest Sophos Ltd. and Sophos Inc. hereby petition for inter

partes review of U.S. Patent No. 7,966,654 (the “’654 patent”) (Ex. 1001), under

35 U.S.C. §§ 311-319, 37 C.F.R. §§ 42.1-42.80 and 37 C.F.R. §§ 42.100-42.123.

I. COMPLIANCE WITH FORMAL REQUIREMENTS

A. Mandatory Notices Under 37 C.F.R. §§ 42.8(b)(1)-(4)

1. Real Party-In-Interest

Pursuant to 37 C.F.R. § 42.8(b)(1), Petitioner states that Sophos Ltd. and

Sophos Inc. (“Sophos” or “Petitioner”) are the real party-in-interest.

2. Related Matters

Pursuant to 37 C.F.R. § 42.8(b)(2), Petitioner states that the ’654 patent is

subject to the following civil action: Sophos Ltd. et al v. Fortinet, Inc., No. 14-cv-

00100-GMS (D.Del.). See Exs. 1003-1004.

3. Lead and Backup Counsel

Pursuant to 37 C.F.R. § 42.8(b)(3), Petitioner provides the following

designation of counsel:

Lead Counsel Backup Counsel Gianni Minutoli Reg. No. 41,198 [email protected] Postal and Hand Delivery Address: DLA Piper LLP (US) One Fountain Square 11911 Freedom Drive, Suite 300 Reston, VA 20190-5602 Phone: 703-773-4045

Ryan W. Cobb Reg. No. 64,598 [email protected] Postal and Hand Delivery Address: DLA Piper LLP (US) 2000 University Ave East Palo Alto, CA 94303 Phone: 650-833-2235 Fax: 650-833-2001

2

Fax: 202-799-5125 Harpreet Singh Reg. No. 71,842 [email protected] Postal and Hand Delivery Address: DLA Piper LLP (US) 2000 University Ave East Palo Alto, CA 94303 Phone: 650-833-2191 Fax: 650-687-1191

4. Service Information

Pursuant to 37 C.F.R. § 42.8(b)(4), Petitioner states that service information

for lead and back-up counsel is provided in the designation of lead and back-up

counsel above.

B. Proof of Service on the Patent Owner

As identified in the attached Certificate of Service, a copy of this Petition in

its entirety is being served to the Patent Owner’s attorney of record at the address

listed in the USPTO’s records by overnight courier pursuant to 37 C.F.R. § 42.6.

C. Power of Attorney

Powers of attorney are being filed with designation of counsel in accordance

with 37 C.F.R. § 41.10(b).

D. Standing

In accordance with 37 C.F.R. §42.104(a), Petitioner certifies that the ’645

patent is available for inter partes review and that Petitioner is not barred or

estopped from requesting an inter partes review challenging the patent claims on

3

the grounds identified in this Petition. The ’654 patent was asserted against

Sophos in Fortinet’s counterclaims in connection with Civil Action No. 14-cv-

00100-GMS on March 20, 2014. See Exs. 1003-1004. Under 35 U.S.C. § 315(b),

this inter partes review is timely as it is being filed within 1 year of service of the

counterclaims.

E. Fees

The undersigned authorizes the Director to charge the fee specified by 37

C.F.R. § 42.15(a) and any additional fees that might be due in connection with this

Petition to Deposit Account No. 07-1896.

II. STATEMENT OF PRECISE RELIEF REQUESTED

In accordance with 35 U.S.C. § 311, Petitioner requests cancelation of

claims 1, 3, 4, 10, 12-14, 18, 19, 20, 22, and 28 of the ’654 patent in view of the

following grounds:

A. Ground 1: Claims 1, 3, 4, 10, 12, 13, 14, 18 and 22 are Obvious under 35

U.S.C. § 103(a) (pre-AIA) in view of Taylor (Ex. 1006).

B. Ground 2: Claims 1, 3, 10, 12, 13, 14 and 22 are Obvious under 35 U.S.C. §

103(a) (pre-AIA) in view of Sonnenberg (Ex. 1007).

C. Ground 3: Claims 19, 20 and 28 are Obvious under 35 U.S.C. § 103(a) (pre-

AIA) in light of Taylor in view of Astaro (Ex. 1008).

D. Ground 4: Claims 18-20 and 28 are Obvious under 35 U.S.C. § 103(a) (pre-

4

AIA) in light of Sonnenberg in view of Astaro.

III. FULL STATEMENT OF REASONS FOR REQUESTED RELIEF

A. Technology Background

A firewall is a network security measure that uses an applied rule set, or

policy, to control incoming and outgoing network traffic. Ex. 1009 at ¶ 37. Three

types of firewalls are packet filters, stateful inspection firewalls, and application

gateways. Id. A packet filtering gateway controls access to packets based on

either the packet source address, destination address, or the specific transport

protocol type. Id. Stateful inspection firewalls maintain state information from

one packet to the next in the network stream. Id. The application gateway controls

input, output, and/or access to an application or service. Id. Application firewalls

monitor the content of various network streams and can restrict or prevent access

to the application or service by network traffic that fails to meet the firewall policy.

By utilizing a proxy in the middle of the protocol exchange, the gateway can

screen content transfer to ensure that only acceptable network streams can access

the application or service. Id.

B. Summary of the ’654 Patent

The ’654 patent purports to teach methods and systems for “processing

network content.” Ex. 1001 at 2:20-21. When an “incoming network connection”

is received, the invention “determines the network service protocol” of the network

connection and “identifies a matching policy based on the source network address,

5

the destination network address and the network service protocol.” Id. at 2:24-28.

A configuration scheme is chosen based on the matching policy and the incoming

network traffic is processed according to the configuration scheme. Id. at 2:28-33.

Other aspects of the invention include a “computerized firewall system to

process network traffic associated with an incoming network connection” (Id. at

2:35-36), “a firewall policy for use in connection with a computerized firewall

system” (Id. at 2:47-48), “a configuration database for use in connection with a

computerized firewall system” (Id. at 2:60-61), and “a firewall system for

processing network traffic” (Id. at 3:1-2).

C. Person of Ordinary Skill in the Art

A person of ordinary skill in the art at the time of the alleged invention of

the ’654 patent would have had a bachelor’s degree in computer science or

electrical engineering, or the equivalent thereof, and four years of industry

experience as a network computer system administrator, including working with

network firewalls and other hardware and software appliances. Ex. 1009 at ¶ 12.

D. Claim Construction

Pursuant to 37 C.F.R. § 42.100(b) and 42.204(b)(3), this petition presents

claim analysis in a manner that is consistent with the broadest reasonable

construction in light of the specification. Claim terms are given their ordinary and

accustomed meaning as would be understood by one of ordinary skill in the art,

6

unless the inventor, as a lexicographer, has set forth a special meaning for a term.

Multiform Desiccants, Inc. v. Medzam, Ltd., 133 F.3d 1473 (Fed. Cir. 1998); York

Prods., Inc., v. Central Tractor Farm & Family Ctr., 99 F.3d 1568, 1572 (Fed. Cir.

1996).

In the ’654 patent, the inventor did not act as a lexicographer and did not

provide a special meaning for any of the claim terms. Accordingly, using the

broadest reasonable interpretation standard, the terms should be given their

ordinary and custom meaning as understood by a person of ordinary skill in the art

and consistent with the disclosure. Ex. 1009 at ¶ 43.

Petitioner notes that the claims should be construed using the broadest

reasonable interpretation standard, which is applied for the purposes of inter partes

review. Because the standards of claim interpretation used by the Courts in patent

litigation are different from the claim interpretation standards used by the Office in

claim examination proceedings (including inter partes review), Petitioner reserves

the right to advocate a different claim interpretation in any other forum in

accordance with the claim construction standards applied in such forum.

E. Ground 1: Claims 1, 3, 4, 10, 12, 13, 14, 18 and 22 are Obvious

under 35 U.S.C. § 103(a) (pre-AIA) in view of Taylor.

U.S. Patent No. 6,728,885 to Taylor (hereinafter “Taylor”) (Ex. 1006)

discloses “a firewall includ[ing] a dynamic packet filter which communicates with

7

a proxy. The proxy registers with the dynamic packet filter for notifications of

request to establish new data communication connections through physical

connections between the internal and outside computer networks.” Ex. 1006 at

3:40-47.

The firewall in Taylor further includes various modules used in filtering

incoming packets as depicted in Figure 2 above. The system in Taylor filters

application-level content by “applying a proxy filter at the application layer to all

packets received on a specific connection” and that “packet is eventually

forwarded to proxy 211 to be filtered at the application layer level.” Ex. 1006 at

6:40-44; 11:46-48. The Taylor system also allows users to create “configuration

files” which are used to establish specific filtering rules for the firewall. Ex. 1006

at 3:55-66.

Claim Language Exemplary Citations to Disclosure

1. A computer- Taylor discloses “a method, system and computer

8


implemented method for processing application-level content of network service protocols, the method comprising:

program for providing multilevel security to a computer network” (computer-implemented method). Ex. 1006 at Abstract. Taylor further discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (computer-implemented method for processing application level content of network service protocols). Ex. 1006 at Abstract. Taylor further discloses “a typical firewall 101 is placed between a Local Area Network (LAN) 103 and outside networks 111, 115” and “[i]nternal hosts 105, 107, 109 and remote hosts 119, 121 are computers, e.g., personal computers (PC) or computer workstations” (computer-implemented method for processing application level content of network service protocols). Ex. 1006 at 1:17-24. Taylor discloses, “a Transport Control Protocol (TCP) module of a TCP/IP layer in a source computer divides the file into packets of an efficient size for transmitting over the network” (network service protocols). Ex. 1006 at 1:43-46. See also id. at 1:60-63; Ex. 1006 at 8:8-10 Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer…” (processing application level content of network service protocols). Ex. 1006 at 2:60-63. See also id. at 6:40-44; 11:46-48; See also Figs. 1-7; Ex. 1009 at ¶ 82.

9


1.(a) receiving an incoming network connection, at a networking subsystem of a firewall device, the incoming connection being characterized by a source network address, a destination network address and a network service protocol;

Taylor discloses that “[t]he method comprises the step of receiving a first communication packet on at least one network interface port from an outside network” (receiving an incoming network connection). Ex. 1006 at Abstract. Taylor discloses that the “NAT 205, DPF 207, UD-SPF, 209, TPF 215, local TCP/IP 213 and OG-DPF 217 are located in the kernel space of firewall 201” (networking subsystem of a firewall device). Ex. 1006 at 4:51-53. Taylor further discloses, “when a packet is received by NIC 203 from any one of outside networks 111, 115, the packet is associated with a corresponding port number. The packet is, then, forwarded to NAT 205 which translates the destination address of the received packet into a corresponding address of internal hosts” (the incoming connection being characterized by a source network address, a destination network address and a network service protocol). Ex. 1006 at 5:33-37. Taylor discloses that a “connection list, as the name implies, includes a list of currently active or soon to be active connections and relevant information thereof such as the source and destination addresses and the port on which the connection is or to be established” (the incoming connection being characterized by a source network address, a destination network address and a network service protocol). Ex. 1006 at 6:66-7:5. Taylor also discloses “[t]he attribute information of the packet includes: Source and destination computer addresses; Source and destination transport layer protocol numbers;Type of protocol (TCP, UDP etc.); and Port numbers of NIC 203 on which the packet was received” (receiving an incoming network connection,

10


at a networking subsystem of a firewall device, the incoming connection being characterized by a source network address, a destination network address and a network service protocol). Ex. 1006 at 10:59-11:3. See also Ex. 1009 at ¶ 83.

1.(b) determining, by the networking subsystem, the network service protocol of the incoming network connection;

Taylor discloses that “DPF determines whether the received packet is a connection control packet, i.e., a SYN packet” (determining, by the networking subsystem, the network service protocol of the incoming network connection). Ex. 1006 at 5:56-58. SYN packets are a part of the Transport Control protocol as explained by Taylor: “a Transport Control Protocol (TCP) module of a TCP/IP layer in a source computer divides the file into packets” and “connection control packets include at least one connection establishing packet, e.g., a SYN packet…” (network service protocol of the incoming network connection). Ex. 1006 at 1:43-52. See also Ex. 1009 at ¶ 84.

1.(c) determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall

Taylor discloses that, “the packet filter…examines the header information of each incoming packet and makes pass/fail decisions based on their source and destination addresses” (determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol). Ex. 1006 at 2:47-53. Taylor discloses, “DPF 207 further determines whether the port, i.e., the port, on which the packet was received is a registered port”, “[t]he system administrator specifies which of the ports are to be registered in a configuration information file” (applying packet-layer firewall rules associated with the matching firewall

11


policy; policy). Ex. 1006 at 5:67-6:6. Taylor further discloses, “[t]he rules in the configuration information file are entered by a user to set forth whether to allow data communication connections for certain physical connections. If the rule is to allow the data communication connection and forward the packets at the packet level, the dynamic packet filter creates a connection rule so as to apply the connection rule to packets having the same attribute information” (emphasis added) (applying packet-layer firewall rules associated with the matching firewall policy). Ex. 1006 at 3:54-63. Taylor also discloses “[w]hether the packet matches a user specified rule is determined by attribute information of the packet. The attribute information of the packet includes: Source and destination computer addresses; Source and destination transport layer protocol numbers;Type of protocol (TCP, UDP etc.); and Port numbers of NIC 203 on which the packet was received” (emphasis added) (determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol). Ex. 1006 at 10:59-11:3. See also Ex. 1009 at ¶ 85.

1.(d) if the incoming connection is allowed, then:

See limitation 1.(d)(i) below.

1.(d)(i) redirecting the incoming network connection, by the

Taylor discloses, “when the port is registered, DPF 207 transfers attribute information of the packet to proxy” (redirecting the incoming network connection, by the

12


networking subsystem, to a proxy module of one or more proxy modules within the firewall device that is configured to support the network service protocol;

networking subsystem, to a proxy module of one or more proxy modules within the firewall device). Ex. 1006 at 6:12-14. Taylor discloses that, “[p]roxy 211, upon receiving the attribute information from DPF 207, determines whether to allow the connection. If the connection is to be allowed, proxy 211 further determines which filter dynamic filter rule to apply” (redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules within the firewall device that is configured to support the network service protocol). Ex. 1006 at 6:22-25; see also Ex. 1009 at ¶ 86.

1.(d)(ii) retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy, the one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols; and

Taylor discloses that a “configuration file…includes various filter rules to be applied for specific connections. For example, packets received from a particular port can be subjected to the filter all rule filter, while packets received from another port can be subjected to the selective filtering rule” (retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy, the one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols). Ex. 1006 at 6:44-50. Taylor discloses, “filtering rules are also possible such as not applying any filtering or applying a proxy filter at the application layer to all packets received on a specific connection” (one or more content processing configuration schemes associated with the matching firewall policy, the one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one

13


or more network service protocols). Ex. 1006 at 6:39-43; see also Ex. 1009 at ¶ 87.

1.(d)(iii) processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection by

Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection). Ex. 1006 at Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer…” (processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection). Ex. 1006 at 2:60-63. Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing application level content of network service protocols). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level” (processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection). Ex. 1006 at 11:46-48; see also Ex. 1009 at ¶ 88.

1.(d)(iii)(A) reconstructing the application level content, including extracting and buffering content from a plurality of packets of the packet

Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing application level content of network service protocols). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level.” Ex. 1006 at 11:46-48.

14


stream; and To be filtered at the application layer level, the proxy must reconstruct the application level content, including extracting and buffering content from a plurality of packets of the packet stream. See Ex. 1009 at ¶ 89.

Regarding limitation 1.(d)(iii)(A), Petitioner believes that it is inherent that

in order to process and scan for “application level content”, packets received by the

proxy must necessarily be reconstructed. The reconstruction of the application

level content would necessarily include extracting and buffering content from a

plurality of packets of the packet stream. Ex. 1009 at ¶ 90. Alternatively, one of

ordinary skill in the art would understand that to process and scan for “application

level content”, packets received by the proxy must necessarily be reconstructed by

e.g., extracting and buffering content from a plurality of packets of the packet

stream. Ex. 1009 at ¶ 91. Thus, to the extent that the Board does not determine that

this limitation is disclosed by Taylor, Petitioner submits that Taylor teaches or

suggests it. Id.


1.(d)(iii)(B) scanning the application-level content based on the retrieved one or more content processing configuration schemes.

Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (scanning the application-level content based on the retrieved one or more content processing configuration schemes). Ex. 1006 at

15

Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer…” (scanning the application-level content based on the retrieved one or more content processing configuration schemes). Ex. 1006 at 2:60-63. Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing application level content of network service protocols). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level” (processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection). Ex. 1006 at 11:46-48. Taylor discloses that a “configuration file…includes various filter rules to be applied for specific connections. For example, packets received from a particular port can be subjected to the filter all rule filter, while packets received from another port can be subjected to the selective filtering rule” (content processing configuration schemes). Ex. 1006 at 6:44-50. In filtering application level content, the proxy must scan the application level content. Ex. 1009 at ¶ 92.

Regarding limitation 1.(d)(iii)(B), Petitioner believes that it is inherent that

in order to process and scan for “application level content,” packets received by the

proxy must necessarily be scanned. One cannot filter content without first

determining by scanning the content and comparing the scanned content with a

16

reference (i.e., configuration scheme). Ex. 1009 at ¶ 93. Alternatively, one of

ordinary skill in the art would understand that to process and scan for “application

level content”, the packets must necessarily be scanned. Ex. 1009 at ¶ 94. Thus, to

the extent that the Board does not determine that this limitation is disclosed by

Taylor, Petitioner submits that Taylor teaches or suggests it. Id.


3. The method of claim 1, wherein during the identifying, the matching firewall policy is selected from a plurality of predefined firewall policies.

Taylor further discloses, “[t]he rules in the configuration information file are entered by a user to set forth whether to allow data communication connections for certain physical connections. If the rule is to allow the data communication connection and forward the packets at the packet level, the dynamic packet filter creates a connection rule so as to apply the connection rule to packets having the same attribute information” (the matching firewall policy is selected from a plurality of predefined firewall policies). Ex. 1006 at 3:54-63; see also Ex. 1009 at ¶ 95.

4. The method of claim 3, wherein if the plurality of predefined firewall policies does not contain the matching firewall policy, a default firewall policy is identified as the matching firewall policy.

Taylor discloses, “if a user specified rule matches with the communication establishing packet, the matched rule is applied to the packet (step 323). If no user specified rule matches the packet, a transparency is applied (step 325)” (wherein if the plurality of predefined firewall policies does not contain the matching firewall policy, a default firewall policy is identified as the matching firewall policy). Ex. 1006 at 11:6-9; see also Ex. 1009 at ¶ 96.

10. A firewall system for processing application-level content of network

Taylor discloses, “the invention relates to firewall technology in packet switched networks for adaptively providing a plurality of security levels” (firewall system). Ex. 1006 at 1:10-14.

17


service protocols, the firewall system comprising:

Taylor discloses, “[f]irewall 101 includes a combination of computer hardware and software components configured to protect LAN” (firewall system). Ex. 1006 at 1:17-19. Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (processing application-level content). Ex. 1006 at Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer…” (processing application-level content). Ex. 1006 at 2:60-63. Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing application-level content). Ex. 1006 at 6:40-44. See also, Fig. 2; Ex. 1009 at ¶ 97.

10.(a) a non-transitory memory having stored therein a configuration database including a plurality of firewall policies and a plurality of content processing configuration schemes, each content processing configuration scheme of

Taylor discloses, “[t]he computer programs are stored in a computer readable storage medium, e.g., hard disks or floppy diskettes. In operation, the computer programs are read to a random access memory to be executed by a processor. The computer readable storage medium, the random access memory and the process are preferably included in the computer of firewall 201. Alternatively, however, the computer readable storage medium can be provided by another computer or floppy diskettes. Hence, the computer programs can be downloaded from

18


the plurality of content processing configuration schemes including a plurality of content processing configuration settings for each of a plurality of network protocols;

a remote computer coupled to firewall 201” (non-transitory memory). Ex. 1006 at 5:10-20. Taylor discloses that a “configuration file…includes various filter rules to be applied for specific connections. For example, packets received from a particular port can be subjected to the filter all rule filter, while packets received from another port can be subjected to the selective filtering rule” (plurality of firewall policies and a plurality of content processing configuration schemes, each content processing configuration scheme of the plurality of content processing configuration schemes including a plurality of content processing configuration settings for each of a plurality of network protocols). Ex. 1006 at 6:44-50. Taylor further discloses, “[t]he rules in the configuration information file are entered by a user to set forth whether to allow data communication connections for certain physical connections. If the rule is to allow the data communication connection and forward the packets at the packet level, the dynamic packet filter creates a connection rule so as to apply the connection rule to packets having the same attribute information” (plurality of firewall policies and a plurality of content processing configuration schemes, each content processing configuration scheme of the plurality of content processing configuration schemes including a plurality of content processing configuration settings for each of a plurality of network protocols). Ex. 1006 at 3:54-63. See Ex. 1009 at ¶ 98.

10.(b) a networking interface operable to receive a network connection;

Taylor discloses “a firewall 201 of the present invention that includes a Network Interface Card (NIC) 203 coupled to at least one outside network” (a networking interface operable to receive a network connection). Ex.

19


1006 at 4:27-29; see also Ex. 1009 at ¶ 99.

10.(c) one or more proxy modules each operable to support one or more network protocols of the plurality of network protocols; and

Taylor further discloses that “[t]he computer program includes a first module located in an application layer, a second module located in a network layer, and a third module located in a kernel space and configured to examine a number of packets received by the computer network from at least one outside network and to forward the number of packets to one of the first and second modules after examining the number of packets. (one or more proxy modules each operable to support one or more network protocols of the plurality of network protocols). Ex. 1006 at Abstract. Taylor further discloses, “the TCP module is a communication protocol used along with the Internet Protocol (IP) to send data in the form of packets between a source and destination computers. While the IP module performs the actual delivery of the data, the TCP module keeps track of the individual packets that a file is divided into for efficient routing through the Internet” (one or more proxy modules each operable to support one or more network protocols of the plurality of network protocols). Ex. 1006 at 1:60-65. Taylor also discloses, “[t]he term proxy designates either all of the filtering and decision making processes or individual filtering processes occurring at the user space. Proxy 211, therefore, can be referred as a one process or a plurality of processes depending upon the context in which the term appears” (one or more proxy modules each operable to support one or more network protocols of the plurality of network protocols). Ex. 1006 at 4:59-65; see also Ex. 1009 at ¶ 100.

10.(d) a networking subsystem operable to (i) receive the network

Taylor discloses a “NAT 205, DPF 207, UD-SPF, 209, TPF 215, local TCP/IP 213 and OG-DPF 217 are located in the kernel space of firewall 201” (a

20


connection from the networking interface,

networking subsystem operable to (i) receive the network connection from the networking interface). Ex. 1006 at 4:51-53. Taylor further discloses, “when a packet is received by NIC 203 from any one of outside networks 111, 115, the packet is associated with a corresponding port number. The packet is, then, forwarded to NAT 205 which translates the destination address of the received packet into a corresponding address of internal hosts” (a networking subsystem operable to (i) receive the network connection from the networking interface). Ex. 1006 at 5:33-37; see also Ex. 1009 at ¶ 101.

10.(d)(ii) apply packet-layer firewall rules associated with a firewall policy of the plurality of firewall policies that is appropriate for the network connection and

Taylor discloses that, “the packet filter…examines the header information of each incoming packet and makes pass/fail decisions based on their source and destination addresses” (apply packet-layer firewall rules associated with a firewall policy of the plurality of firewall policies that is appropriate for the network connection). Ex. 1006 at 2:47-53. Taylor discloses, “DPF 207 further determines whether the port, i.e., the port, on which the packet was received is a registered port”, “[t]he system administrator specifies which of the ports are to be registered in a configuration information file” (apply packet-layer firewall rules associated with a firewall policy of the plurality of firewall policies that is appropriate for the network connection). Ex. 1006 at 5:67-6:6. Taylor further discloses, “[t]he rules in the configuration information file are entered by a user to set forth whether to allow data communication connections for certain physical connections. If the rule is to allow the data communication connection and forward the packets at the packet level, the dynamic packet filter creates a

21


connection rule so as to apply the connection rule to packets having the same attribute information” (emphasis added) (apply packet-layer firewall rules associated with a firewall policy of the plurality of firewall policies that is appropriate for the network connection). Ex. 1006 at 3:54-63; see also Ex. 1009 at ¶ 102.

10.(d)(iii) redirect the network connection to a proxy module of the one or more proxy modules based on a network protocol associated with the network connection if the network connection is allowed by the packet-layer firewall rules; and

Taylor discloses, “when the port is registered, DPF 207 transfers attribute information of the packet to proxy” (redirect the network connection to a proxy module of the one or more proxy modules based on a network protocol associated with the network connection if the network connection is allowed by the packet-layer firewall rules). Ex. 1006 at 6:12-14. Taylor discloses that, “[p]roxy 211, upon receiving the attribute information from DPF 207, determines whether to allow the connection. If the connection is to be allowed, proxy 211 further determines which filter dynamic filter rule to apply” (redirect the network connection to a proxy module of the one or more proxy modules based on a network protocol associated with the network connection if the network connection is allowed by the packet-layer firewall rules). Ex. 1006 at 6:22-25; see also Ex. 1009 at ¶ 103.

10.(e) wherein the proxy module processes application-level content of a packet stream associated with the network connection by

Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (wherein the proxy module processes application-level content of a packet stream associated with the network connection). Ex. 1006 at Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’

22


networks. Each of the packets passing through this type of firewall is examined at the application layer…” (wherein the proxy module processes application-level content of a packet stream associated with the network connection). Ex. 1006 at 2:60-63. Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing application level content of network service protocols). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level” (wherein the proxy module processes application-level content of a packet stream associated with the network connection). Ex. 1006 at 11:46-48; see also Ex. 1009 at ¶ 104.

10.(e)(i) reconstructing the application-level content, including extracting and buffering content from a plurality of packets of the packet stream; and

Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (reconstructing the application-level content, including extracting and buffering content from a plurality of packets of the packet stream). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level.” Ex. 1006 at 11:46-48. To be filtered at the application layer level, the proxy must reconstruct the application level content, including extracting and buffering content from a plurality of packets of the packet stream. See Ex. 1009 at ¶¶ 89-91. See also, discussion regarding limitation 1.(d)(iii)(A) above; See Ex. 1009 at ¶ 105.

10.(e)(ii) scanning the application-level content based on one or more content processing

Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one

23


configuration schemes of the plurality of content processing configuration schemes that have been associated with the firewall policy by an administrator of the firewall system.

outside network…” (scanning the application-level content based on the retrieved one or more content processing configuration schemes). Ex. 1006 at Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer…” (scanning the application-level content based on the retrieved one or more content processing configuration schemes). Ex. 1006 at 2:60-63. Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing application level content of network service protocols). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level” (scanning the application-level content based on one or more content processing configuration schemes of the plurality of content processing configuration schemes). Ex. 1006 at 11:46-48. Taylor discloses that a “configuration file…includes various filter rules to be applied for specific connections. For example, packets received from a particular port can be subjected to the filter all rule filter, while packets received from another port can be subjected to the selective filtering rule” (content processing configuration schemes). Ex. 1006 at 6:44-50. Taylor also discloses, “[t]he system administrator specifies which of the ports are to be registered in a configuration information file” (processing configuration schemes that have been associated with the firewall policy by an administrator of the firewall

24


system). Ex. 1006 at 5:67-6:6. In filtering application level content, the proxy must scan the application level content. See Ex. 1009 at ¶¶ 92-94. See also, discussion regarding limitation 1.(d)(iii)(B) above; See Ex. 1009 at ¶ 106.

12. The firewall system of claim 10, wherein the processing of application-level content by the proxy module comprises applying filters to the application-level content.

Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (processing of application-level content by the proxy module comprises applying filters to the application-level content). Ex. 1006 at Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer…” (processing of application-level content by the proxy module comprises applying filters to the application-level content). Ex. 1006 at 2:60-63. Taylor discloses, “applying a proxy filter at the application layer to all packets received on a specific connection” (processing of application-level content by the proxy module comprises applying filters to the application-level content). Ex. 1006 at 6:40-44. Taylor also discloses, “the packet is eventually forwarded to proxy 211 to be filtered at the application layer level” (processing, by the proxy module, application-level content). Ex. 1006 at 11:46-48. Taylor discloses that a “configuration file…includes various filter rules to be applied for specific

25


connections. For example, packets received from a particular port can be subjected to the filter all rule filter, while packets received from another port can be subjected to the selective filtering rule” (content processing configuration schemes). Ex. 1006 at 6:44-50; see also Ex. 1009 at ¶ 107.

13. A non-transitory computer-readable storage medium tangibly embodying instructions, which when executed by a firewall system, cause the firewall system to perform a method for processing application-level content, the method comprising:

Taylor discloses, “The computer programs are stored in a computer readable storage medium, e.g., hard disks or floppy diskettes. In operation, the computer programs are read to a random access memory to be executed by a processor. The computer readable storage medium, the random access memory and the process are preferably included in the computer of firewall 201. Alternatively, however, the computer readable storage medium can be provided by another computer or floppy diskettes. Hence, the computer programs can be downloaded from a remote computer coupled to firewall 201” (non-transitory memory). Ex. 1006 at 5:10-20. Taylor discloses, “[t]his invention relates to providing security in communication networks. In particular, the invention relates to firewall technology in packet switched networks for adaptively providing a plurality of security levels” (firewall system). Ex. 1006 at 1:10-14. Taylor discloses that “[t]he computer program includes a first module located in an application layer…configured to examine a number of packets received by the computer network from at least one outside network…” (processing of application-level content by the proxy module comprises applying filters to the application-level content). Ex. 1006 at Abstract. Taylor also discloses, “[a]n application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’

26


networks. Each of the packets passing through this type of firewall is examined at the application layer…” (processing of application-level content by the proxy module comprises applying filters to the application-level content). Ex. 1006 at 2:60-63; see also Ex. 1009 at ¶ 108.

Taylor also renders obvious limitations 13.(a) to 13.(c)(iii)(B):


13.(a) determining, by a networking subsystem of the firewall system, the network service protocol of the incoming network connection, the incoming connection being characterized by a source network address, a destination network address and a network service protocol;

See claim limitations 1.(a) and 1.(b). See also Ex. 1009 at ¶ 109.

13.(b) determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;

See claim limitation 1.(c).

13.(c) if the incoming connection is allowed, then: See claim limitation 1.(d).

13.(c)(i) redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules of the firewall system that is configured to support the network service protocol;

See claim limitation 1.(d)(i).

13.(c)(ii) retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy, the

See claim limitation 1.(d)(ii).

27

one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols; and

13.(c)(iii) processing, the proxy module, application-level content of a packet stream associated with the incoming network connection by

See claim limitation 1.(d)(iii).

13.(c)(iii)(A) reconstructing the application level content, including extracting and buffering content from a plurality of packets of the packet stream; and

See claim limitation 1.(d)(iii)(A).

13.(c)(iii)(B) scanning the application-level content based on the retrieved one or more content processing configuration schemes.

See claim limitation 1.(d)(iii)(B).

Taylor also renders obvious claims 14 and 18:


14. The computer-readable storage medium of claim 13, wherein the network service protocol comprises at least one of a group consisting of HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) and Server Message Block/Common

Taylor discloses, “[f]or instance, this rule is useful for protocols such as File Transfer Protocol (FTP), which sends data packets on a different connection after establishing the connection. Other filtering rules are also possible such as not applying any filtering or applying a proxy filter at the application layer to all packets received on a specific connection” (wherein the network service protocol comprises File Transfer Protocol (FTP)). Ex. 1006 at 6:37-40.

See also Ex. 1009 at ¶ 110.

28

Internet File System (SMB/CIFS). 18. The computer-readable storage medium of claim 13, wherein the method further comprises authenticating a user associated with the incoming connection and rejecting the incoming connection if the authentication is unsuccessful.

Taylor discloses, “[t]he most common firewall features include: securing internal network 103 access with a perimeter defense, controlling all connections into and out of internal network 103, filtering packets according to previously defined rules, “authenticating” or making sure users and applications are permitted to access resources, logging of activities, and actively notifying the appropriate people when suspicious events occur” (authenticating a user associated with the incoming connection and rejecting the incoming connection if the authentication is unsuccessful). Ex. 1006 at 2:35-44; see also Ex. 1009 at ¶ 111.

Taylor also renders obvious limitations 22(a) to 22.(c)(iv):


22. The method of claim 1, further comprising: (a) receiving, by the networking subsystem, a second incoming network connection associated with a second network service protocol that is different from the network service protocol;

See claim limitation 1.(a). See also Ex. 1009 at ¶ 112.

22.(b) determining, by the networking subsystem, whether to allow or deny the second incoming connection based on the matching firewall policy and applying packet-layer firewall rules associated with the matching firewall policy;


22.(c) if the second incoming connection is allowed, then:

See claim limitation 1.(d).

22.(c)(i) redirecting the second incoming network connection to a second proxy module of one or more proxy modules within the firewall device that is configured to support the second network service protocol;


29

22.(c)(ii) retrieving, by the second proxy module, the one or more content processing configuration schemes associated with the matching firewall policy; and


22.(c)(iii) processing, by the second proxy module, application-level content of a packet stream associated with the second incoming network connection by


22.(c)(iii)(A) reconstructing the application-level content of the packet stream associated with the second incoming network connection, including extracting and buffering content from a plurality of packets of the packet stream; and


22.(c)(iii)(B) scanning the application-level content of the packet stream associated with the second incoming network connection based on the retrieved one or more content processing configuration schemes; and


22.(c)(iv) wherein the plurality of content processing configuration settings for the network service protocol are different from the plurality of content processing configuration settings for the second network service protocol.

See claim limitations 1.(a) and 1.(d)(iii). Taylor proxy’s rules are different from each other. Ex. 1009 at ¶ 113.

F. Ground 2: Claims 1, 3, 10, 12, 13, 14 and 22 are Obvious under 35

U.S.C. § 103(a) (pre-AIA) in light of Sonnenberg.

U.S. Patent No. 7,076,650 to Sonnenberg (hereinafter “Sonnenberg”)(Ex.

1007) discloses a “system and methods … for scanning a communication that is

received at a firewall.” Ex. 1007 at 2:9-12.

30

The Sonnenberg system includes a firewall 102 having “proxies relating to

different types of communications (e.g., differentiated by protocol) that the firewall

will handle. Thus, in the illustrated embodiment firewall 102 includes FTP (File

Transfer Protocol) proxy 150, HTTP (HyperText Transport Protocol) 152 and an

additional proxy 154.” Id. at 5:31-36.

According to Sonnenberg, “firewall 102 examines communications (e.g.,

individual or sequences of packets, frames, etc.) received at the firewall and, based

on firewall rules 102a, forwards to each installed and enabled proxy those

communications that match its type and that are permitted to transit the firewall.”

Ex. 1007 at 5:44-49. “Different proxies may be configured to handle different

types of communications (e.g., FTP, HTTP, SMTP).” Id. at 2:25-27. According to

Sonnenberg, “a proxy is also configured to scan the communications it handles for

31

target content such as computer viruses, programming objects (e.g., ActiveX

controls, Java applets), or general content such as pornography, advertisements,

etc.” Id. at 2:27-31 (emphasis added). Each proxy has its own set of rules for

processing the target content (i.e., application level content). Id. at 5:58-67; 14:8-

30 (“In state 506 the FTP proxy examines its own rules to ensure that the desired

FTP connection is permissible. … In state 512 the FTP proxy applies its rules.”);

Fig. 5.


1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:

Sonnenberg discloses a “method and apparatus are provided for cooperatively and dynamically sharing a proxy's burden of scanning communications for target content. A network of computer nodes is connected to a firewall through which pass communications with entities external to the network. The firewall includes one or more proxies to facilitate network users' connections with the external entities. The firewall and one or more of the nodes include software modules for scanning one or more types (e.g., FTP, HTTP, SMTP) of communications for particular information or types of data (e.g., computer viruses, ActiveX components, pornography, text)” (method for processing application level content of network service protocols). Ex. 1007 at Abstract. Sonnenberg discloses that “[f]or example, the methods described herein may be implemented in software executing on a computer system…” (computer-implemented method). Ex. 1007 at 3:62-64. See also Figs. 1A, 1B and 5; Ex. 1009 at ¶ 114.

32


1.(a) receiving an incoming network connection, at a networking subsystem of a firewall device, the incoming connection being characterized by a source network address, a destination network address and a network service protocol;

Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall” (receiving an incoming network connection at a networking subsystem of a firewall device). Ex. 1007 at 5:44-49. Sonnenberg discloses that “[w]ithin a particular type of communication, however, attributes and criteria such as the following may be used to decide where a communication is scanned: … the source or destination of the communication (e.g., which node in the network, as determined by an IP address); …etc. One skilled in the art will appreciate that this is merely a listing of sample criteria and communication attributes that may be examined. In alternative embodiments of the invention other criteria and attributes may be used” (the incoming connection being characterized by a source network address, a destination network address and a network service protocol). Ex. 1007 at 7:5-27. See also Figs. 1B and 5; Ex. 1009 at ¶ 115.

1.(b) determining, by the networking subsystem, the network service protocol of the incoming network connection;

Sonnenberg discloses that “[i]n this embodiment firewall 102 includes proxies relating to different types of communications (e.g., differentiated by protocol) that the firewall will handle. Thus, in the illustrated embodiment firewall 102 includes FTP (File Transfer Protocol) proxy 150, HTTP (HyperText Transport Protocol) 152 and an additional proxy 154. Proxy 154 may represent another communication protocol (e.g., SMTP (Simple Mail Transport Protocol)) or may be a "plug" proxy configured to receive and/or establish

33


connections for a particular application or communication service (e.g., AOL) operating on a node within the organization's network” (the network service protocol of the incoming network connection). Ex. 1007 at 5:31-41. Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall. Illustratively, firewall rules 102a comprise a set of guidelines or instructions the firewall applies to determine whether to accept, reject or otherwise manipulate a particular communication. In particular, the firewall rules may specify what to do with each type of communication it receives. Thus, all FTP requests and responses concerning file accesses may be provided to FTP proxy 150 while HTTP proxy 152 receives HTTP communications” (determining, by the networking subsystem, the network service protocol of the incoming network connection). Ex. 1007 at 5:44-57; see also Ex. 1009 at ¶ 116.

1.(c) determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and

Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall. Illustratively, firewall rules 102a comprise a set of guidelines or instructions the firewall applies to determine whether to accept, reject or otherwise manipulate a particular communication” (determining,

34


applying packet-layer firewall rules associated with the matching firewall policy;

by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy). Ex. 1007 at 5:44-57. Sonnenberg discloses that “[v]arious criteria, rules and attributes of the communications to be scanned may be used to partition the communication scanning duties between a firewall and a computer node. Illustratively, the criteria, rules and attributes are stored by the proxy (e.g., as rules/criteria 150a for FTP proxy 150 in FIG. 1B) and/or the firewall (e.g., in firewall rules 102a). In one embodiment of the invention, responsibility for different types (e.g., FTP, HTTP, SMTP) of communications is, as described above, divided among different proxies in the firewall. Within a particular type of communication, however, attributes and criteria such as the following may be used to decide where a communication is scanned: … the source or destination of the communication (e.g., which node in the network, as determined by an IP address); …etc.” (determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy). Ex. 1007 at 7:5-24; see also Ex. 1009 at ¶ 117.

1.(d) if the incoming connection is allowed, then:

See limitation 1.(d)(i) below.

1.(d)(i) redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules

Sonnenberg discloses “In state 504 the firewall receives the connection request. … If the firewall has no rule against allowing the connection to proceed, it forwards the request to the appropriate (i.e., FTP) proxy. … In state 508 a communication containing the requested file is received at the firewall from the external entity. In

35


within the firewall device that is configured to support the network service protocol;

state 510 the firewall again checks its rules, this time for incoming communications, to determine if the communication is allowable… In state 510 the firewall forwards the communication to the FTP proxy because it is an FTP communication.” Ex. 1007 at 14:8-29. See also id. at 5:31-36; Figs. 1B, 5; Ex. 1009 at ¶ 118.

1.(d)(ii) retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy, the one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols; and

Sonnenberg discloses retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy: “As explained further below, each proxy may include a set of rules or criteria concerning whether and how the proxy should manipulate a communication. A proxy may, for example, be configured to allow or disallow communications through the firewall that relate to certain commands or actions (e.g., downloading a large image file, uploading a file from an internal node to an external entity). A proxy's rules may also specify whether the proxy should scan a communication that matches a specified type or that exhibits a particular attribute”. Ex. 1007 at 5:58-67. “In state 506 the FTP proxy examines its own rules to ensure that the desired FTP connection is permissible. If its rules allow, the proxy establishes a connection to the external entity on behalf of the requesting node, without revealing details of the node to the external entity. … In state 512 the FTP proxy applies its rules” (the one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols). Ex. 1007 at 14:8-30. See also Figs. 1B and 5; Ex. 1009 at ¶ 119.

1.(d)(iii) processing, by Sonnenberg discloses that “[i]n this embodiment a

36


the proxy module, application-level content of a packet stream associated with the incoming network connection by

firewall protects a network of user computer nodes and has one or more proxy modules installed. A proxy may be configured to establish connections or handle communications to external entities on behalf of internal network nodes. Different proxies may be configured to handle different types of communications (e.g., FTP, HTTP, SMTP). In this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” (processing, by the proxy module, application-level content of a packet stream associated with the incoming network ). Ex. 1007 at 2:21-31. Sonnenberg also discloses that “[e]ach proxy is configured to handle communications of a particular type (e.g., a specific network or communication protocol) and decide whether to allow or disallow a communication based on predetermined criteria. One or more proxies are also configured to scan a communication for viruses, specified programming objects (e.g., ActiveX controls), other content (e.g., pornographic data) that is desirable or undesirable, etc.” (processing, by the proxy module, application-level content of a packet stream associated with the incoming network ). Ex. 1007 at 4:19-26. See also id. at 14:8-15:7; Figs. 1B and 5; Ex. 1009 at ¶ 120.

1.(d)(iii)(A) reconstructing the application level content, including extracting and buffering content from a plurality of packets of

Sonnenberg discloses that “[i]n this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” (application level content) Ex.

37


the packet stream; and 1007 at 2:27-31. In order to scan for “target content” (i.e., application level content), the proxy must reconstruct the application level content, including extracting and buffering content from a plurality of packets of the packet stream. Ex. 1009 at ¶ 121. See also Ex. 1007 at 14:30-48; Figs. 1B and 5.

Petitioner believes that it is inherent that in order to process and scan for

“application level content,” packets received by the proxy must necessarily be

reconstructed. The reconstruction of the application level content (i.e., the “target

content” described in Sonnenberg, would necessarily include extracting and

buffering content from a plurality of packets of the packet stream. Ex. 1009 at ¶

122. Alternatively, one of ordinary skill in the art would understand that to process

and scan for “application level content”, packets received by the proxy must

necessarily be reconstructed by e.g., extracting and buffering content from a

plurality of packets of the packet stream. Ex. 1009 at ¶ 123. Thus, to the extent

that the Board does not determined that this limitation is disclosed by Sonnenberg,

Petitioner submits that Sonnenberg teaches or suggests it. Id.


1.(d)(iii)(B) scanning the application-level content

Sonnenberg discloses scanning the application-level content based on the retrieved one or more content

38


based on the retrieved one or more content processing configuration schemes.

processing configuration schemes: “In this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” Ex. 1007 at 2:27-31. “Each proxy is configured to handle communications of a particular type (e.g., a specific network or communication protocol) and decide whether to allow or disallow a communication based on predetermined criteria. One or more proxies are also configured to scan a communication for viruses, specified programming objects (e.g., ActiveX controls), other content (e.g., pornographic data) that is desirable or undesirable, etc.” Ex. 1007 at 4:19-26. See id. at 14:8-48; Figs. 1B and 5; Ex. 1009 at ¶ 123.

3. The method of claim 1, wherein during the identifying, the matching firewall policy is selected from a plurality of predefined firewall policies.

Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall. Illustratively, firewall rules 102a comprise a set of guidelines or instructions the firewall applies to determine whether to accept, reject or otherwise manipulate a particular communication. In particular, the firewall rules may specify what to do with each type of communication it receives. Thus, all FTP requests and responses concerning file accesses may be provided to FTP proxy 150 while HTTP proxy 152 receives HTTP communications.” Ex. 1007 at 5:44-57;

39


see also Ex. 1009 at ¶ 124.

10. A firewall system for processing application-level content of network service protocols, the firewall system comprising:

Sonnenberg discloses “[a] method and apparatus are provided for cooperatively and dynamically sharing a proxy's burden of scanning communications for target content. A network of computer nodes is connected to a firewall through which pass communications with entities external to the network. The firewall includes one or more proxies to facilitate network users' connections with the external entities. The firewall and one or more of the nodes include software modules for scanning one or more types (e.g., FTP, HTTP, SMTP) of communications for particular information or types of data (e.g., computer viruses, ActiveX components, pornography, text)” (a firewall system for processing application-level content of network service protocols). Ex. 1007 at abstract. “In particular, FIGS. 1A 1B demonstrate one system in which a communication is selectively scanned (e.g., for viruses and/or other desired or undesired content) at either a server (e.g., firewall) or an individual computer node that is the destination of the communication” (a firewall system for processing application-level content of network service protocols). Ex. 1007 at 4:51-55. See also Figs. 1A, 1B and 5; Ex. 1009 at ¶ 125.

10.(a) a non-transitory memory having stored therein a configuration database including a plurality of firewall policies and a plurality of content processing configuration schemes, each content processing configuration scheme of

Sonnenberg discloses a configuration database including a plurality of firewall policies and a plurality of content processing configuration schemes. Ex. 1009 at ¶ 126. Sonnenberg discloses that “[t]he program environment in which a present embodiment of the invention is executed illustratively incorporates a general-purpose computer or a special purpose device such as a hand-held computer. Details of such devices (e.g., processor,

40


the plurality of content processing configuration schemes including a plurality of content processing configuration settings for each of a plurality of network protocols;

memory, data storage and display) are well known and are omitted for the sake of clarity” (a non-transitory memory). Ex. 1007 at 3:54-59. Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall. Illustratively, firewall rules 102a comprise a set of guidelines or instructions the firewall applies to determine whether to accept, reject or otherwise manipulate a particular communication. In particular, the firewall rules may specify what to do with each type of communication it receives. Thus, all FTP requests and responses concerning file accesses may be provided to FTP proxy 150 while HTTP proxy 152 receives HTTP communications” (plurality of firewall policies). Ex. 1007 at 5:44-57. Sonnenberg discloses “As explained further below, each proxy may include a set of rules or criteria concerning whether and how the proxy should manipulate a communication. A proxy may, for example, be configured to allow or disallow communications through the firewall that relate to certain commands or actions (e.g., downloading a large image file, uploading a file from an internal node to an external entity). A proxy's rules may also specify whether the proxy should scan a communication that matches a specified type or that exhibits a particular attribute” (each content processing configuration scheme of the plurality of content processing configuration schemes including a plurality of content processing configuration settings for each of a plurality

41


of network protocols). Ex. 1007 at 5:58-67. Sonnenberg discloses that “[v]arious criteria, rules and attributes of the communications to be scanned may be used to partition the communication scanning duties between a firewall and a computer node. Illustratively, the criteria, rules and attributes are stored by the proxy (e.g., as rules/criteria 150a for FTP proxy 150 in FIG. 1B) and/or the firewall (e.g., in firewall rules 102a). In one embodiment of the invention, responsibility for different types (e.g., FTP, HTTP, SMTP) of communications is, as described above, divided among different proxies in the firewall. Within a particular type of communication, however, attributes and criteria such as the following may be used to decide where a communication is scanned: … the source or destination of the communication (e.g., which node in the network, as determined by an IP address); …etc.” (each content processing configuration scheme of the plurality of content processing configuration schemes including a plurality of content processing configuration settings for each of a plurality of network protocols). Ex. 1007 at 7:5-24; see also Ex. 1009 at ¶ 126.

10.(b) a networking interface operable to receive a network connection;

Sonnenberg discloses that “[i]n a system employing one embodiment of the invention a firewall operates astride a communication link between an organization's network (e.g., a LAN) and external networks and computer systems (e.g., the Internet). The firewall includes one or more proxy modules to handle certain types of communications passing through the firewall. Each proxy is configured to handle communications of a particular type (e.g., a specific network or communication protocol) and decide whether to allow or disallow a communication based on predetermined criteria. One or more proxies are also configured to scan a communication for viruses, specified

42


programming objects (e.g., ActiveX controls), other content (e.g., pornographic data) that is desirable or undesirable, etc.” Ex. 1007 at 4:12-26; see also Ex. 1009 at ¶ 127.

10.(c) one or more proxy modules each operable to support one or more network protocols of the plurality of network protocols; and

Sonnenberg discloses that “[i]n this embodiment firewall 102 includes proxies relating to different types of communications (e.g., differentiated by protocol) that the firewall will handle. Thus, in the illustrated embodiment firewall 102 includes FTP (File Transfer Protocol) proxy 150, HTTP (HyperText Transport Protocol) 152 and an additional proxy 154.” Ex. 1007 at 5:31-36. See also Figs. 1B and 5; Ex. 1009 at ¶ 128.

10.(d) a networking subsystem operable to (i) receive the network connection from the networking interface,

Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall.” Ex. 1007 at 5:44-49. See also id. at 7:5-27; Figs. 1B, 5; Ex. 1009 at ¶ 129.

10.(d)(ii) apply packet-layer firewall rules associated with a firewall policy of the plurality of firewall policies that is appropriate for the network connection and

Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall. Illustratively, firewall rules 102a comprise a set of guidelines or instructions the firewall applies to determine whether to accept, reject or otherwise manipulate a particular communication. In particular,

43


the firewall rules may specify what to do with each type of communication it receives. Thus, all FTP requests and responses concerning file accesses may be provided to FTP proxy 150 while HTTP proxy 152 receives HTTP communications” (apply packet-layer firewall rules associated with a firewall policy of the plurality of firewall policies that is appropriate for the network connection). Ex. 1007 at 5:44-57. See also Ex. 1007 at 7:5-24; Ex. 1009 at ¶ 130.

10.(d)(iii) redirect the network connection to a proxy module of the one or more proxy modules based on a network protocol associated with the network connection if the network connection is allowed by the packet-layer firewall rules; and

Sonnenberg discloses redirect the network connection to a proxy module of the one or more proxy modules based on a network protocol associated with the network connection if the network connection is allowed by the packet-layer firewall rules: “In state 504 the firewall receives the connection request. … If the firewall has no rule against allowing the connection to proceed, it forwards the request to the appropriate (i.e., FTP) proxy. … In state 508 a communication containing the requested file is received at the firewall from the external entity. In state 510 the firewall again checks its rules, this time for incoming communications, to determine if the communication is allowable. … In state 510 the firewall forwards the communication to the FTP proxy because it is an FTP communication.” Ex. 1007 at 14:8-29. “In this embodiment firewall 102 includes proxies relating to different types of communications (e.g., differentiated by protocol) that the firewall will handle. Thus, in the illustrated embodiment firewall 102 includes FTP (File Transfer Protocol) proxy 150, HTTP (HyperText Transport Protocol) 152 and an additional proxy 154.” Ex. 1007 at 5:31-36.

44


See also Figs. 1B and 5; Ex. 1009 at ¶ 131.

10.(e) wherein the proxy module processes application-level content of a packet stream associated with the network connection by

Sonnenberg discloses that “[i]n this embodiment a firewall protects a network of user computer nodes and has one or more proxy modules installed. A proxy may be configured to establish connections or handle communications to external entities on behalf of internal network nodes. Different proxies may be configured to handle different types of communications (e.g., FTP, HTTP, SMTP). In this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” Ex. 1007 at 2:21-31. See also Ex. 1007 at 4:19-26; 14:8-15:7; Figs. 1B and 5.

10.(e)(i) reconstructing the application-level content, including extracting and buffering content from a plurality of packets of the packet stream; and

Sonnenberg discloses that “[i]n this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” (application-level content). Ex. 1007 at 2:27-31. In order to scan for “target content” (i.e., application level content), the proxy must reconstruct the application level content, including extracting and buffering content from a plurality of packets of the packet stream. Ex. 1009 at ¶ 133. See also id. at 14:30-48; Figs. 1B, 5; Ex. 1009 at ¶ 133.

Petitioner believes that it is inherent that in order to process and scan for

“application level content”, packets received by the proxy must necessarily be

45

reconstructed. The reconstruction of the application level content (i.e., the “target

content” described in Sonnenberg), would necessarily include extracting and

buffering content from a plurality of packets of the packet stream. Ex. 1009 at ¶

133. Alternatively, one of ordinary skill in the art would understand that to process

and scan for “application level content”, packets received by the proxy must

necessarily be reconstructed by e.g., extracting and buffering content from a

plurality of packets of the packet stream. Ex. 1009 at ¶ 133. Thus, to the extent

that the Board does not determined that this limitation is disclosed by Sonnenberg,

Petitioner submits that Sonnenberg teaches or suggests it. Id.


10.(e)(ii) scanning the application-level content based on one or more content processing configuration schemes of the plurality of content processing configuration schemes that have been associated with the firewall policy by an administrator of the firewall system.

Sonnenberg discloses scanning the application-level content based on one or more content processing configuration schemes of the plurality of content processing configuration schemes that have been associated with the firewall policy by an administrator of the firewall system: “In this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” Ex. 1007 at 2:27-31. “Each proxy is configured to handle communications of a particular type (e.g., a specific network or communication protocol) and decide whether to allow or disallow a communication based on predetermined

46


criteria. One or more proxies are also configured to scan a communication for viruses, specified programming objects (e.g., ActiveX controls), other content (e.g., pornographic data) that is desirable or undesirable, etc.” Ex. 1007 at 4:19-26. See also id. at 14:8-48; Figs. 1B, 5; Ex. 1009 at ¶ 134.

12. The firewall system of claim 10, wherein the processing of application-level content by the proxy module comprises applying filters to the application-level content.

Sonnenberg discloses that “[i]n this embodiment a proxy is also configured to scan the communications it handles for target content such as computer viruses, programming objects (e.g., ActiveX controls, Java applets), or general content such as pornography, advertisements, etc.” (processing of application content). Ex. 1007 at 2:27-31; see also Ex. 1007 at 4:19-26. Sonnenberg discloses that “[v]irtually any type of scanning module may be installed regardless of the type of content they scan for (e.g., digital signatures, watermarks or other hidden characteristics within images, etc.).” Ex. 1007 at 7:56-60. Digital signatures are processed using filters (applying filters to the application-level content). Ex. 1009 at ¶ 135.

13. A non-transitory computer-readable storage medium tangibly embodying instructions, which when executed by a firewall system, cause the firewall system to perform a method for processing application-level content, the method comprising:

Sonnenberg discloses that “[f]or example, the methods described herein may be implemented in software executing on a computer system, or implemented in hardware utilizing either a combination of microprocessors or other specially designed application specific integrated circuits, programmable logic devices, or various combinations thereof. In particular, the methods described herein may be implemented by a series of computer-executable instructions residing on a storage medium such as a carrier wave, disk drive, or computer-readable medium” (non-transitory computer-readable storage medium tangibly embodying instructions, which when executed by a firewall system,

47


cause the firewall system to perform a method for processing application-level content).Ex. 1007 at 3:62-4:4. See also preamble of claim 1; Ex. 1009 at ¶ 136..

Sonnenberg also renders obvious limitations 13(a) to13.(c)(iii)(B):


13.(a) determining, by a networking subsystem of the firewall system, the network service protocol of the incoming network connection, the incoming connection being characterized by a source network address, a destination network address and a network service protocol;

See claim limitations 1.(a) and 1.(b). See also Ex. 1009 at ¶ 137.

13.(b) determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;


13.(c) if the incoming connection is allowed, then:


13.(c)(i) redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules of the firewall system that is configured to support the network service protocol;


13.(c)(ii) retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy, the


48

one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols; and

13.(c)(iii) processing, the proxy module, application-level content of a packet stream associated with the incoming network connection by


13.(c)(iii)(A) reconstructing the application level content, including extracting and buffering content from a plurality of packets of the packet stream; and


13.(c)(iii)(B) scanning the application-level content based on the retrieved one or more content processing configuration schemes.


Sonnenberg also renders obvious claims 14 and 22(a):


14. The computer-readable storage medium of claim 13, wherein the network service protocol comprises at least one of a group consisting of HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) and Server Message

Sonnenberg discloses that “[d]ifferent proxies may be configured to handle different types of communications (e.g., FTP, HTTP, SMTP).” Ex. 1007 at 2:25-27; see also Ex. 1007 at 7:11-14. See also Ex. 1009 at ¶ 138.

49

Block/Common Internet File System (SMB/CIFS).

22. The method of claim 1, further comprising: (a) receiving, by the networking subsystem, a second incoming network connection associated with a second network service protocol that is different from the network service protocol;

Sonnenberg discloses that “[i]n the illustrated embodiment of the invention firewall 102 examines communications (e.g., individual or sequences of packets, frames, etc.) received at the firewall and, based on firewall rules 102a, forwards to each installed and enabled proxy those communications that match its type and that are permitted to transit the firewall. Illustratively, firewall rules 102a comprise a set of guidelines or instructions the firewall applies to determine whether to accept, reject or otherwise manipulate a particular communication. In particular, the firewall rules may specify what to do with each type of communication it receives. Thus, all FTP requests and responses concerning file accesses may be provided to FTP proxy 150 while HTTP proxy 152 receives HTTP communications.” Ex. 1007 at 5:44-57. See claim limitation 1.(a); Ex. 1009 at ¶ 139.

Sonnenberg also renders obvious limitations 22(b) to 22.(c)(iv):


22.(b) determining, by the networking subsystem, whether to allow or deny the second incoming connection based on the matching firewall policy and applying packet-layer firewall rules associated with the matching firewall policy;


22.(c) if the second incoming connection is allowed, then:


22.(c)(i) redirecting the second incoming network connection to a second proxy module of one or


50

more proxy modules within the firewall device that is configured to support the second network service protocol;

22.(c)(ii) retrieving, by the second proxy module, the one or more content processing configuration schemes associated with the matching firewall policy; and


22.(c)(iii) processing, by the second proxy module, application-level content of a packet stream associated with the second incoming network connection by


22.(c)(iii)(A) reconstructing the application-level content of the packet stream associated with the second incoming network connection, including extracting and buffering content from a plurality of packets of the packet stream; and


22.(c)(iii)(B) scanning the application-level content of the packet stream associated with the second incoming network connection based on the retrieved one or more content processing configuration schemes; and


22.(c)(iv) wherein the plurality of content processing configuration settings for the network service protocol are different from the plurality of content processing configuration settings for the second network service protocol.

See claim limitations 1.(a) and 1.(d)(iii). Sonnenberg’s proxy rules are different from each other. Ex. 1009 at ¶140.

G. Ground 3: Claims 19, 20, and 28 are Obvious under 35 U.S.C. § 103(a) (pre-AIA) in light of Taylor in view of Astaro.

Astaro Security Linux V5 User Manual (“Astaro”) accompanied the Astaro

Security Linux V5 Internet security system. Astaro is prior art to the ’654 patent at

least under 35 U.S.C. §102(b) (pre-AIA) because it was published and publicly

51

available in the United States on October 24, 2004 and therefore pre-dates by more

than one year the earliest possible priority date on the face of the ’654 patent (Nov.

22, 2005). Ex. 1008 at labeled page 2 (all other cites to Astaro’s page numbers).

Astaro discloses a computer-implemented security system including a

firewall system. Ex. 1008 at 11. The firewall system combined several network

components to provide “protection against unauthorized access”, “access control”,

“protocol analysis”, “concealing internal network structure”, and “separation of

servers and clients using proxies” among other features. Ex. 1008 at 11. The

Astaro firewall system includes network layer firewalls and application layer

gateways. Id. at 12-13. The application layer gateways “act as a middleman in

connections between external systems and protected ones” by translating data

packets. Id. at 13. The translation process is called a proxy and each proxy “is

able to analyze and log protocol usage at a fine-grained level, and thereby offer a

wide range of monitoring and security options.” Id. Included in these options is

the ability to authenticate and filter users as well as create user groups. Ex. 1008 at

123 and 227. See also id. at 37, 75-77, 83, and 85. Furthermore, Astaro allows the

system administrator to employ a content filter in the proxy which “scans e-mails

and attachments passing through the proxy for dangerous contents such as viruses

or Trojan horses.” Id. at 250. Flagged messages can then be quarantined based on

set thresholds. Id. at 251. The Astaro firewall also features a “File Extension

52

Filter” to filter files. Id. at 262.

It would have been obvious to one of skill in the art to combine the

disclosures of Taylor and Astaro, and there would have been motivation to

combine them, at least because both involve improving computer implemented

network security systems using firewall systems having both network and

application layer filtering. Ex. 1009 at ¶ 141. Additionally, both Taylor and

Astaro seek to provide greater flexibility and control over network security. Ex.

1006 at 4:8-13; Ex. 1008 at 35. Both references provide network and application

level firewall protections. Ex. 1006 at 3:33-39; Ex. 1008 at 12-13. Finally, the

firewall systems of both Taylor and Astaro allow the administrator to dictate how

data flows in the network based on user defined rules and policies. Ex. 1006 at

3:54-65, Ex. 1008 at 196-199. For at least these reasons, the combination of these

disclosures would not go beyond combining known elements to yield predictable

results. Ex. 1009 at ¶ 141.


19. The computer-readable storage medium of claim 18, wherein the authenticated user is associated with one or more user groups.

Astaro discloses, “The SOCKSv5, SMTP, and HTTP services can be configured to allow or disallow clients based on IP address or on username and password combinations. In order to use User Authentication, you must select at least one database against which the security system should authenticate users” (user authentication). Ex. 1008 at 73. Astaro also discloses “RADIUS stands for Remote

53

Authentication Dial In User Service and is a protocol for allowing network devices (e.g., routers) to authenticate users against a central database” (user authentication). Ex. 1008 at 74. Astaro further discloses “[t]he Filters function allows you to filter Users with specific attributes from the table. This function considerably enhances the management of huge network configurations, as users of a certain type can be presented in a concise way” (user is associated with one or more user groups). Ex. 1008 at 123. Astaro also discloses “[t]o give Internet access to a user, he must be assigned to a specific profile in the Profiles-table. If you have already defined the group in your Active Directory (AD) you must give the same name to the profile (e. g. http_access) as to the group in the tab service. Like that, you only need to define those profiles for the user group, for which the access to specific websites shall be prevented” (user is associated with one or more user groups). Ex. 1008 at 227. See also id. at 37(“Allowed Users”), 83(“group membership”), and 85(“grant privileges on the basis of group memberships…”); Ex. 1009 at ¶ 142.

20. The computer-readable storage medium of claim 19, wherein the retrieved one or more content processing configuration schemes are assigned to the one or more user groups.

Astaro also discloses “[t]o give Internet access to a user, he must be assigned to a specific profile in the Profiles-table. If you have already defined the group in your Active Directory (AD) you must give the same name to the profile (e. g. http_access) as to the group in the tab service. Like that, you only need to define those profiles for the user group, for which the access to specific websites shall be prevented” (user is associated with one or more user groups). Ex. 1008 at 227. See also id. at 37(“Allowed Users”), 83(“group membership”), and 85(“grant privileges on the basis of

54

group memberships…”); Ex. 1009 at ¶ 143.

28. The firewall system of claim 10, wherein the network service protocol comprises File Transfer Protocol (FTP) and wherein the plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning, filename blocking and quarantining.

Taylor discloses, “[f]or instance, this rule is useful for protocols such as File Transfer Protocol (FTP), which sends data packets on a different connection after establishing the connection. Other filtering rules are also possible such as not applying any filtering or applying a proxy filter at the application layer to all packets received on a specific connection” (wherein the network service protocol comprises File Transfer Protocol (FTP)). Ex. 1006 at 6:37-40. Astaro discloses, “The Surf Protection Profiles function allows you to produce profiles, which prevent access to certain websites… Each Surf Protection Profile additionally contains a Content Filter with protection mechanisms. Those protection mechanisms are: • Virus Protection (VP) • Embedded Object Filter • Script Content Filter” (plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning). Ex. 1008 at 233. Astaro also discloses, “Virus Protection: This option scans e-mails and attachments passing through the proxy for dangerous contents such as viruses or Trojan horses” (antivirus scanning). Ex. 1008 at 250. Astro discloses the ability to set quarantines: “Quarantine: The e-mail will be accepted, but kept in quarantine. The Proxy Content Manager menu will list this e-mail with status Quarantine. This menu presents further options, including options to read or to send the message” (quarantining). Ex. 1008 at 251. Astaro also discloses, “File Extension Filter This function allows the firewall to selectively filter

55

attachments based on their file extensions. The extensions to filter can be selected in the Extensions list tool” (filename blocking). Ex. 1008 at 262; see also Ex. 1009 at ¶ 144.

H. Ground 4: Claims 4, 18-20, and 28 are Obvious under 35 U.S.C. §

103(a) (pre-AIA) in light of Sonnenberg in view of Astaro.

It would have been obvious to one of skill in the art to combine the

disclosures of Sonnenberg and Astaro, and there would have been motivation to

combine them, at least because both involve improving computer implemented

network security systems using firewall systems having both network and

application layer filtering. Ex. 1009 at ¶ 145. Additionally, both Sonnenberg and

Astaro seek to provide greater flexibility and control over network security. Ex.

1007 at 2:38-45; Ex. 1008 at 35. Both references provide network and application

level firewall protections. Ex. 1007 at 2:21-31; Ex. 1008 at 12-13. Finally, the

firewall systems of both Taylor and Astaro allow the administrator to dictate how

data flows in the network based on user defined rules and policies. Ex. 1007 at

2:33-37, Ex. 1008 at 196-199. For at least these reasons, the combination of these

disclosures would not go beyond combining known elements to yield predictable

results. Ex. 1009 at ¶ 145.


4. The method of claim 3, wherein if the plurality of predefined firewall

Sonnenberg discloses, “[i]n one embodiment of the invention a base or default set of rules and criteria may be specified by a system or network administrator.

56


policies does not contain the matching firewall policy, a default firewall policy is identified as the matching firewall policy.

These rules may determine which network nodes may scan some or all of their communications, when (e.g., time of day, level of firewall or proxy activity) the proxy may leave a communication to be scanned by its destination node, a minimum security configuration a node may have to in order to be able to scan communications, etc.” Ex. 1007 at 2:38-45 Astaro discloses, “The Rules menu allows you to define packet filter sets of rules. These rules are defined with the help of the network and service definitions. In general, there are two basic kinds of packet filtering policy: • Default allow – the rules explicitly define which packets are blocked; all others are allowed. • Default deny– the rules explicitly define which packets are allowed; all others are dropped” (if the plurality of predefined firewall policies does not contain the matching firewall policy, a default firewall policy is identified as the matching firewall policy). Ex. 1008 at 202. See also id. at 237; Ex. 1009 at ¶ 146.

18. The computer-readable storage medium of claim 13, wherein the method further comprises authenticating a user associated with the incoming connection and rejecting the incoming connection if the authentication is unsuccessful.

Astaro discloses, “The SOCKSv5, SMTP, and HTTP services can be configured to allow or disallow clients based on IP address or on username and password combinations. In order to use User Authentication, you must select at least one database against which the security system should authenticate users” (authenticating a user associated with the incoming connection and rejecting the incoming connection if the authentication is unsuccessful). Ex. 1008 at 73. See also Ex. 1009 at ¶ 147.

19. The computer-readable storage medium of claim 18, wherein the

Astaro discloses, “The SOCKSv5, SMTP, and HTTP services can be configured to allow or disallow clients based on IP address or on username and password

57


authenticated user is associated with one or more user groups.

combinations. In order to use User Authentication, you must select at least one database against which the security system should authenticate users” (user authentication). Ex. 1008 at 73. Astaro also discloses “RADIUS stands for Remote Authentication Dial In User Service and is a protocol for allowing network devices (e.g., routers) to authenticate users against a central database” (user authentication). Ex. 1008 at 74. Astaro further discloses “[t]he Filters function allows you to filter Users with specific attributes from the table. This function considerably enhances the management of huge network configurations, as users of a certain type can be presented in a concise way” (user is associated with one or more user groups). Ex. 1008 at 123. Astaro also discloses “[t]o give Internet access to a user, he must be assigned to a specific profile in the Profiles-table. If you have already defined the group in your Active Directory (AD) you must give the same name to the profile (e. g. http_access) as to the group in the tab service. Like that, you only need to define those profiles for the user group, for which the access to specific websites shall be prevented” (user is associated with one or more user groups). Ex. 1008 at 227. See also id. at 37(“Allowed Users”); 83(“group membership”); 85(“grant privileges on the basis of group memberships…”); 75(“Create a user group for every proxy to be used.”); 76(“Windows group of user…”); Ex. 1009 at ¶ 148.

58


20. The computer-readable storage medium of claim 19, wherein the retrieved one or more content processing configuration schemes are assigned to the one or more user groups.

Astaro also discloses “[t]o give Internet access to a user, he must be assigned to a specific profile in the Profiles-table. If you have already defined the group in your Active Directory (AD) you must give the same name to the profile (e. g. http_access) as to the group in the tab service. Like that, you only need to define those profiles for the user group, for which the access to specific websites shall be prevented” (user is associated with one or more user groups). Ex. 1008 at 227. See also id. at 37(“Allowed Users”); 83(“group membership”); 85(“grant privileges on the basis of group memberships…”); 75(“Create a user group for every proxy to be used.”); 76(“Windows group of user…”); Ex. 1009 at ¶ 149.

28. The firewall system of claim 10, wherein the network service protocol comprises File Transfer Protocol (FTP) and wherein the plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning, filename blocking and quarantining.

Sonnenberg discloses, “[i]n state 510 the firewall forwards the communication to the FTP proxy because it is an FTP communication.” Ex. 1007 at 14:8-48. Sonnenberg discloses, “[i]n state 512 the FTP proxy applies its rules. Illustratively, the proxy first determines whether it or the firewall can scan the communication. In this embodiment a scanning module (e.g., a virus scanner) has already been installed and configured on the firewall, so this determination is settled affirmatively. … Otherwise, if the proxy has not off-loaded its responsibility for scanning this communication to the node, in state 514 it scans the file with a scanning module and, if the communication (e.g., the requested file) passes the scan (e.g., contains no detectable computer viruses) it is forwarded to the node, after which the procedure ends at state 520.” Ex. 1007 at 14:30-41. Sonnenberg discloses, “[o]ne of ordinary skill in the art will appreciate the large number of configurable

59


parameters that may be part of various scanning modules (e.g., file type, file size, time, type of content to scan for, identity of a node or user, level of trust).” Ex. 1007 at 8:29-33. Astaro discloses, “[e]ach Surf Protection Profile additionally contains a Content Filter with protection mechanisms. Those protection mechanisms are: • Virus Protection (VP) • Embedded Object Filter • Script Content Filter” (plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning). Ex. 1008 at 233. Astaro also discloses, “Virus Protection: This option scans e-mails and attachments passing through the proxy for dangerous contents such as viruses or Trojan horses” (antivirus scanning). Ex. 1008 at 250. Astro discloses the ability to set quarantines: “Quarantine: The e-mail will be accepted, but kept in quarantine. The Proxy Content Manager menu will list this e-mail with status Quarantine. This menu presents further options, including options to read or to send the message” (quarantining). Ex. 1008 at 251. Astaro also discloses, “File Extension Filter This function allows the firewall to selectively filter attachments based on their file extensions. The extensions to filter can be selected in the Extensions list tool” (filename blocking). Ex. 1008 at 262; see also Ex. 1009 at ¶ 150.

60

IV. CONCLUSION

For the foregoing reasons, Petitioner requests that the Board institute trial

and cancel claims 1, 3, 4, 10, 12-14, 18, 19, 20, 22, and 28 of the ’654 patent.

Dated: March 20, 2015 Respectfully Submitted,

/Gianni Minutoli/

Gianni Minutoli Reg. No. 41,198 [email protected] Postal and Hand Delivery Address: DLA Piper LLP (US) One Fountain Square 11911 Freedom Drive, Suite 300 Reston, VA 20190-5602 Phone: 703-773-4045 Fax: 202-799-5125 Ryan W. Cobb Reg. No. 64,598 [email protected] Phone: 650-833-2235 Fax: 650-833-2001 Harpreet Singh Reg. No. 71,842 [email protected] Phone: 650-833-2191 Fax: 650-687-1191 Postal and Hand Delivery Address: DLA Piper LLP (US) 2000 University Ave East Palo Alto, CA 94303 Attorneys for Petitioner Sophos Ltd. and Sophos Inc.

1

CERTIFICATE OF SERVICE

The undersigned certifies service pursuant to 37 C.F.R. 37 C.F.R. §§ 42.6(e)

and 42.105(b) on the Patent Owner by UPS Overnight Delivery of a copy of this

Petition for Inter Partes Review and supporting materials at the following

correspondence address of record for the ’654 Patent:

Michael DeSanctis Hamilton DeSanctis & Cha LLP Financial Plaza At Union Square 225 Union Boulevard, Suite 150

Lakewood, CO 80228

Dated: March 20, 2015

/Gianni Minutoli/ Gianni Minutoli Registration No. 41,198 DLA PIPER LLP (US) 11911 Freedom Drive, Suite 300 Reston, Virginia 20190-5602 Phone: (703) 773-4045 Fax: (703) 773-5019

before the patent trial and appeal board sophos …1008 astaro security linux v5 webadmin user...

Documents