Ex Parte Kleinsteiber et alDownload PDFPatent Trial and Appeal BoardJul 30, 201311198834 (P.T.A.B. Jul. 30, 2013) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE ________________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ________________ Ex parte JAMES KLEINSTEIBER, RICHARD L. HAMMONS, HUNG NGUYEN, SHANKAR BALASUBRAMANIAN, and VIDYA RENGANARARAYANAN1 ________________ Appeal 2011-002844 Application 11/198,834 Technology Center 2400 ________________ Before JOSEPH L. DIXON, KRISTEN L. DROESCH, and JASON V. MORGAN, Administrative Patent Judges. MORGAN, Administrative Patent Judge. DECISION ON APPEAL 1 Brocade Communications Systems, Inc., is the real party in interest. App. Br. 3. Appeal 2011-002844 Application 11/198,834 2 STATEMENT OF THE CASE Introduction This is an appeal under 35 U.S.C. § 134(a) from the Examiner’s Final Rejection of claims 62 – 66, 69, 91 – 94, and 97. Claims 1 – 61, 67, 68, 70 – 90, 95, 96, and 98 – 102 are canceled. App. Br. 3. We have jurisdiction under 35 U.S.C. § 6(b). We reverse. Invention Appellants’ invention relates to the use of security techniques that are combined to provide overall network security. For example, through network control in which logical management access or physical I/O (input/output) access may be limited on a per device or per I/O basis, and all devices and ports in the network operate only with other approved devices and ports. See Spec., Abstract. One technique disclosed is the use of management access controls. Specifically, policy sets are used to give network operators the ability to specifically designate logical channels from which security and management instructions may originate. For example, an operator may disable serial port access, front panel access, or HTTP (hypertext transfer protocol) access for the purposes of management or security changes. Another disclosed technique for limiting management access and enhancing security is to specifically designate which devices can send or receive information to which other devices. See Spec., ¶ [0012]. Appeal 2011-002844 Application 11/198,834 3 Exemplary Claim (Emphases Added) 62. A method of securing a network comprising the steps of: limiting access to a first set of one or more network management functions relating to the capabilities and operational permissions of devices in the network by allowing control of said first set of network management functions only through one or more pre-selected devices; and limiting access to a second set of network management functions relating to the capabilities and operational permissions of devices in the network to access only through one or more pre-determined logical channels of said one or more preselected devices as specified by a network operator; wherein the first set of network management functions is mutually exclusive from the second set of network management functions. Rejections The Examiner rejects claims 62 – 65 and 91 – 93 under 35 U.S.C. § 103(a) as being unpatentable over Sudama (US 5,619,657; Apr. 8, 1997; filed Jun. 6, 1994) and Firewall Q&A, Vicomsoft KnowledgeShare (archived Feb. 29, 2000), available at http://web.archive.org/web/ 20000229202157/http://www.vicomsoft.com/knowledge/reference/ firewalls1.html (“Firewall Q&A”). Ans. 4 – 7. The Examiner rejects claims 66 and 94 under 35 U.S.C. § 103(a) as being unpatentable over Sudama, Firewall Q&A, and James H. Yu and Tom K. Le, Internet and Network Security, J. of Indust. Tech., Vol. 17, No. 1 (2000) (“Yu”). Ans. 7 – 8. The Examiner rejects claims 69 and 97 under 35 U.S.C. § 103(a) as being unpatentable over Sudama, Firewall Q&A, and Ozcetin (US 2003/0014678 A1; Jan. 16, 2003). Ans. 8 – 9. Appeal 2011-002844 Application 11/198,834 4 ISSUE Did the Examiner err in finding that the combination of Sudama and Firewall Q&A teaches or suggests: (1) “limiting access to a first set of one or more network management functions . . . by allowing control of said first set of network management functions only through one or more pre-selected devices”; (2) “limiting access to a second set of network management functions . . . only through one or more pre-determined logical channels of said one or more preselected devices”; and (3) “wherein the first set of network management functions is mutually exclusive from the second set of network management functions,” as recited in claim 62? ANALYSIS The Examiner finds that Sudama, which is directed to a method for providing security for distributing management operations among components of a computer network, teaches or suggests “limiting access to a first set of one or more network management functions . . . by allowing control of said first set of network management functions only through one or more pre-selected devices,” as recited in claim 62. See Ans. 4 (citing Sudama, col. 8, ll. 1 – 5 and 21 – 45). The Examiner finds that Sudama does not teach “limiting access to a second set of one or more network management functions . . . only through one of more predetermined logical channels of the pre-selected devices as specified by a network operator wherein the first set and second set of management functions are mutually exclusive.” See Ans. 4. Instead, the Examiner relies on Firewall Q&A, which describes how firewalls can protect individual computers and corporate networks from hostile intrusion from the Internet, to teach or Appeal 2011-002844 Application 11/198,834 5 suggest limiting access to resources by traffic through a firewall, with one type of filtering being protocol filtering (i.e., limiting access through pre- determined logical channels). See Ans. 5 (citing Firewall Q&A, 2, 4, 5, Figs. 2 and 3). The Examiner finds that it would have been obvious to an artisan of ordinary skill to modify the teachings of Sudama “by allowing the management functions to be limited through a firewall and further limited through . . . a logical channel.” Ans. 5. Appellants contend the Examiner erred because “Sudama teaches only a single set of management functions that must be received by a device over a single, authenticated link” and Firewall Q&A’s teachings merely relate to “a conventional, protocol-based, packet-filtering firewall” in which “packets are allowed to pass or not based on the protocol contained within the packet.” App. Br. 9. Appellants argue that “[t]his has nothing to do with restricting access to certain management functions by requiring they be accessed through a particular logical channel.” Id.; see also Reply Br. 5. We find Appellants’ arguments persuasive. The Examiner finds that Firewall Q&A teaches or suggests filtering traffic in two ways: either by allowing traffic through the firewall to specified resources that “could be one set of management functions,” Ans. 12 (emphasis added), or by requiring traffic from unknown sources to meet additional criteria such as through a logical channel of the device, id. at 13. The Examiner further finds that “[t]he packets are mutually exclusive since one set is allowed and one set requires additional criteria to be met.” Id. at 5. However, we agree with Appellants that the Examiner’s findings do not show that Firewall Q&A, even in combination with Sudama, teaches or suggests the claimed first and Appeal 2011-002844 Application 11/198,834 6 second, mutually exclusive set of network management functions. See, e.g., App. Br. 9 – 11; Reply Br. 5 – 6. Importantly, the Examiner’s findings merely show that traffic may be further restricted through one or more pre-determined logical channels based on the source of the traffic or based on the resource the traffic is directed to (i.e., based on the destination of the traffic), as opposed to based on whether the traffic relates to accessing a first set of network management functions or to accessing a second set of network management functions. See Ans. 12 – 13. The Examiner’s finding that the “specified resources could be one set of management functions,” see id. at 12 (emphasis added), is speculative and not supported by the evidence before us. Therefore, we agree with Appellants, App. Br. 9, that the Examiner erred in finding that the combination of Sudama and Firewall Q&A teaches or suggests: (1) “limiting access to a first set of one or more network management functions . . . by allowing control of said first set of network management functions only through one or more pre-selected devices”; (2) “limiting access to a second set of network management functions . . . only through one or more pre-determined logical channels of said one or more preselected devices”; and (3) “wherein the first set of network management functions is mutually exclusive from the second set of network management functions,” as recited in claim 62. The Examiner does not show that Yu or Ozcetin cure the noted deficiencies. Accordingly, we do not sustain the Examiner’s 35 U.S.C. § 103(a) rejection of claim 62, and claims 63 – 66, 69, 91 – 94, and 97, which contain similar recitations. Appeal 2011-002844 Application 11/198,834 7 DECISION We reverse the Examiner’s decision to reject claims 62 – 66, 69, 91 – 94, and 97. REVERSED tj Copy with citationCopy as parenthetical citation