13953208 (P.T.A.B. Oct. 30, 2017)

Ex Parte Bitton et al

Patent Trial and Appeal BoardOct 30, 2017

13953208 (P.T.A.B. Oct. 30, 2017)

United States Patent and Trademark Office UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O.Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 13/953,208 07/29/2013 Elie Bitton FORT-009410 9599 64128 7590 MICHAEL A DESANCTIS HAMILTON DESANCTIS & CHA LLP 12640 W. Cedar Drive, Suite 1 LAKEWOOD, CO 80228 EXAMINER SHAIFER HARRIMAN, DANT B ART UNIT PAPER NUMBER 2434 NOTIFICATION DATE DELIVERY MODE 11/01/2017 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): mdesanctis @ hdciplaw.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte ELIE BITTON and ALEX SAMONTE Appeal 2017-003179 Application 13/953,208 Technology Center 2400 Before JOHN A. EVANS, MATTHEW J. McNEILL, and ALEX S. YAP, Administrative Patent Judges. EVANS, Administrative Patent Judge. DECISION ON APPEAL Appellants1 seek our review under 35 U.S.C. § 134(a) of the Examiner’s Final Rejection of Claims 28—43, all claims pending in the Application. Br. 5. We have jurisdiction under 35 U.S.C. § 6(b). We REVERSE.2 1 Appellants state the real party in interest is Fortinet, Inc. Br. 3. 2 Rather than reiterate the arguments of Appellants and the Examiner, we refer to the Appeal Brief (filed March 11, 2016, “Br.”); the Examiner’s Answer (mailed July 25, 2016, “Ans.”); the Final Action (mailed September 11, 2015, “Final Act.”); and the Specification (filed July 29, 2013, “Spec.”) for their respective details. Appeal 2017-003179 Application 13/953,208 STATEMENT OF THE CASE The claims relate to systems and methods for performing intra-zone and inter-zone security management in a network. See Abstract. INVENTION Claims 28, 32, 36, and 40 are independent. An understanding of the invention can be derived from a reading of Claim 28, which is reproduced below with some formatting added: 28. A method of performing security scanning within a virtual environment, the method comprising: assigning a first security policy to a first plurality of virtual machines (VMs) hosted by a hypervisor of a host machine by creating, within a network security device, a first layer 2 (L2) virtual domain (VDOM) with which the first plurality of VMs are associated, wherein the first L2 VDOM has implemented therein a first L2 scanning module to apply the first security policy to inter-VM traffic exchanged among the first plurality of VMs, wherein the first plurality of VMs are within a first common L2 broadcast domain as a result of being part of a first virtual local area network (VLAN) or as a result of being coupled in communication with the hypervisor through a first common port group of a plurality of port groups of a virtual switch of the host machine; assigning a second security policy to a second plurality of VMs hosted by the hypervisor by creating, within the network security device, a second L2 VDOM with which the second plurality of VMs are associated, wherein the second L2 VDOM has implemented therein a second L2 scanning module to apply the second security policy 2 Appeal 2017-003179 Application 13/953,208 to inter-VM traffic exchanged among the second plurality of VMs, wherein the second plurality of VMs are within a second common L2 broadcast domain as a result of being part of a second VLAN or as a result of being coupled in communication with the hypervisor through a second common port group of the plurality of port groups; receiving, by the network security device, a first packet originated by a first VM of the first plurality of VMs and directed to a second VM of the first plurality of VMs; responsive to determining both a source and a destination of the first packet are associated with the first L2 VDOM, causing, by the network security device, the first L2 scanning module to apply security scanning to the first packet in accordance with a first set of security rules associated with the first security policy prior to forwarding the first packet to the second VM of the first plurality of VMs; receiving, by the network security device, a second packet originated by a first VM of the second plurality of VMs and directed to a second VM of the second plurality of VMs; and responsive to determining both a source and a destination of the second packet are associated with the second L2 VDOM, causing, by the network security device, the second L2 scanning module to apply security scanning to the second packet in accordance with a second set of security rules associated with the second security policy prior to forwarding the second packet to the second VM of the second plurality of VMs. References and Rejections Husak Jiang US 6,157,647 Dec. 5, 2000 US 2012/0204264 A1 Aug. 9, 2012 US 2013/0305311 A1 Nov. 14, 2013Puttaswamy Naga et al. (“Puttaswamy”) 3 Appeal 2017-003179 Application 13/953,208 Lukas etal. US 2013/0219500 A1 Aug. 22, 2013 The claims stand rejected as follows:3 1. Claims 28, 29, 32, 33, 36, 37, 40, and 41 stand rejected under 35 U.S.C. 102(a) (2) as anticipated by Puttaswamy. Final Act. 5-10. 2. Claims 30, 34, 38, and 42 stand rejected under 35 U.S.C. 103(a) as obvious over Puttaswamy and Jiang. Final Act. 11-12. 3. Claims 31 and 35 stand rejected under 35 U.S.C. 103(a) as obvious over Puttaswamy and Lukas. Final Act. 12-13. 4. Claims 39 and 43 stand rejected under 35 U.S.C. 103(a) as obvious over Puttaswamy and Husak. Final Act. 13-15. ANALYSIS We have reviewed the rejections of claims 28-43 in light of Appellants’ arguments that the Examiner erred. We consider Appellants’ arguments seriatim, as they are presented in the Appeal Brief, pages 20-31. Claims 28,29,32,33,36,37,40, and 41: Anticipation by Puttaswamy VMware port groups. 3 The rejections under 35 U.S.C. §§101 and 112 have been withdrawn. Ans. 2. 4 Appeal 2017-003179 Application 13/953,208 Appellants contend Puttaswamy fails to disclose the use of VDOMs to apply appropriate security rules to inter-VM traffic within the same L2 broadcast domain. Br. 26. Independent claim 28 recites, inter alia, “a plurality of port groups of a virtual switch of the host machine.” Appellants argue “port groups” is a VMware-specific term referring to management objects for aggregation of multiple ports on a virtual switch that may be used as endpoints for connecting VMs. Id. Appellants argue the Puttaswamy reference to blocking traffic on certain ports (e.g., port numbers 10, 50, 80 and 120) relates to logical ports (e.g., the well-known ports 0 through 1023 used for TCP/IP connections, for File Transfer Protocol (FTP) data, Remote Mail Checking Protocol (RMCP), Hypertext Transfer Protocol (HTTP), Coherent File Distribution Protocol (CFDP) and the like), but is not a reference to the VMware-specific term “port groups,” as claimed. Id. The Examiner finds Puttaswamy discloses security rules, which may include firewall rules, such that traffic may be blocked to VMs on any port, including enumerated ports 10, 50, 80, and 120. Ans. 14. The Examiner does not specifically respond to Appellants’ contention that Puttaswamy fails to disclose VMware-specific “port groups,” as recited in independent Claim 28. The Examiner finds Puttaswamy inherently discloses “a virtual switch of a host machine that includes a plurality of port groups.” Ans. 15 (citing Puttaswamy 37,11. 15-20). Puttaswamy discloses: In this example, assume that a first virtual machine (e.g., one of the virtual machines 114.41 of host 111 a i ) is sending data to a second virtual machine (e.g., one of the virtual machines 114bn of host 11 \bn), and a security rule 152 is defined for checking 5 Appeal 2017-003179 Application 13/953,208 whether the data being sent by the first virtual machine is allowed to enter the second virtual machine. Puttaswamy 37. We find no disclosure, in this cited passage, either of VMware-specific port groups, or of port groups. We find no disclosure anywhere within Puttaswamy of a “port group.” Independent claim 32 contains commensurate limitations. In view of the forgoing, we decline to sustain the rejection of independent claims 28 and 32 and claims 29-31, 33-35, and 37-39, dependent therefrom. A first layer 2 virtual domain (VDOM). Appellants contend Puttaswamy fails to disclose “creating, within a network security device, a first layer 2 (L2) virtual domain (VDOM) with which the first plurality of VMs are associated,” as recited in independent claim 28. Br. 26. We find no disclosure in Puttaswamy of a layer 2 virtual domain nor does the Examiner so direct our attention. Each of independent claims 32, 36, and 40 contain commensurate limitations. In view of the foregoing, we decline to sustain the rejection of the claims as anticipated. Claims 30,31,34,35,38,39,42, and 43: Obviousness over Puttaswamy AND ANY OF JlANG, LUKAS, OR HUSAK. The Examiner does not apply any of Jiang, Lukas, or Husak to teach the limitations discussed above. See Final Act. 11-15. In view of the foregoing, we decline to sustain the rejection of the dependent claims. DECISION The rejection of Claims 28, 29, 32, 33, 36, 37, 40, and 41 under 35 U.S.C. § 102 is REVERSED. 6 Appeal 2017-003179 Application 13/953,208 The rejection of Claims 30, 31, 34, 35, 38, 39, 42, and 43under 35 U.S.C. § 103 is REVERSED. REVERSED 7