`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`added]
`
`However, Coss et al. do not explicitly disclose that
`
`the modified rule set includes at least one rule as a
`
`function of a type of IP service.
`
`It would have been obvious that the modified rule
`
`set includes at least one rule as a function of a type
`
`ofIP service. For example, applying a known
`
`technique (dynamic rule modification) to a known
`
`device (firewall 211 programmed with at least one
`
`rule as a function of a type of IP service) yields
`
`predictable results that the modified rule set may
`
`also include at least one rule as a function of a type
`
`of IP service.
`
`37.
`
`A system comprising:
`
`Coss et al. illustrate a system in Figure 2
`
`a redirection server
`
`Coss et al. disclose firewall 211 is programmed
`
`programmed with a user's rule
`
`with a user's rule set correlated to an assigned
`
`set correlated to a temporarily
`
`network address. Firewall 211 is also connected
`
`assigned network address;
`
`between the user's computer (at user site 201) and
`
`the Internet 105, and controls the user's access to
`
`the Internet 105 by utilizing redirection
`
`functionality.
`
`For instance, Coss et al. disclose:
`
`"FIG. 2 shows a user site 201 connected to the
`
`Internet 105 via a firewall processor 211." [3:53-
`
`54]
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 418 of 484
`
`Panasonic-1012
`Page 1335 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`"With a capability for supporting multiple security
`
`domains, a single firewall can su1mort multiple
`
`users~ each with a separate securitv policy."
`
`[3:31-33, emphasis added]
`
`The security policies can be represented by sets of
`
`access rules which are represented in tabular
`
`form and which are loaded into the firewall by a
`
`firewall administrator. As illustrated in FIG. 3, such
`
`a table can provide for categories including rule
`
`number, designations of source and destination
`
`hosts, a designation of a special service which can
`
`be called for in a packet, and a specification of an
`
`action to be taken on a packet.
`
`"Source host group identifier or IP address" [ 4:39,
`
`emphasis added]
`
`"Destination host group identifier or IP address"
`
`[4:40, emphasis added]
`
`"This invention relates to the prevention of
`
`unauthorized access in computer networks and,
`
`more particularly, to firewall protection within
`
`computer networks." [1 :6-8, emphasis added]
`
`"Dynamic rules are rules which are included with
`
`the access rules as a need arises, for processing
`
`along with the access rules, e.g., by a rule
`
`processing engine. Dynamic rules can include
`
`unique, current information such as, for example,
`
`specific source and destination port numbers. They
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 419 of 484
`
`Panasonic-1012
`Page 1336 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`can be loaded at any time by trusted parties~ e.g.~
`
`a trusted application~ remote proxy or firewall
`
`administrator~ to authorize specific network
`
`sessions." [8 :24-31, emphasis added]
`
`"To unburden the firewall of application proxies,
`
`the firewall can be enabled to redirect a network
`
`session to a separate server for processing."
`
`[Abstract, emphasis added]
`
`"Proxy reflection in accordance with the present
`
`invention involves redirecting a network session to
`
`another, "remote" proxy server for processing, and
`
`then later passing it back via the firewall to the
`
`intended destination. When a new session enters the
`
`firewall, a decision is made to determine whether
`
`service by a proxy server is required. If so, the
`
`firewall replaces the destination address in the
`
`packet with the host address of the proxy
`
`application and~ if necessary~ it can also change
`
`the service port." [Coss et al., col. 8, lines 56-65,
`
`emphasis added]
`
`However, Coss et al. do not explicitly disclose the
`
`firewall 211 is programmed with a user's rule set
`
`correlated to a temporarily assigned network
`
`address.
`
`It is well known that dial-up users are often
`
`provided with a temporarily assigned IP address.
`
`For example, admitted prior art (APA) systems are
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 420 of 484
`
`Panasonic-1012
`Page 1337 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`described in the '118 patent as follows:
`
`"In prior art systems as shown in FIG. 1 when an
`
`Internet user establishes a connection with an
`
`Internet Service Provider (ISP), the user first makes
`
`a physical connection between their computer 100
`
`and a dial-up networking server 102, the user
`
`provides to the dial-up networking server their user
`
`ID and password. The dial-up networking server
`
`then passes the user ID and password, along with a
`
`temuorary Internet Protocol (IP) address for use
`
`by the user to the ISP's authentication and
`
`accounting server 104. A detailed description of the
`
`IP communications protocol is discussed in
`
`Internetworking with TCP/IP, 3rd ed., Douglas
`
`Comer, Prentice Hall, 1995, which is fully
`
`incorporated herein by reference. The
`
`authentication and accounting server, upon
`
`verification of the user ID and password using a
`
`database 106 would send an authorization message
`
`to the dial-up networking server 102 to allow the
`
`user to use the temuorary IP address assigned to
`
`that user by the dial-uu networking server and
`
`then logs the connection and assigned IP address.
`
`For the duration of that session, whenever the user
`
`would make a request to the Internet 110 via a
`
`gateway 108, the end user would be identified by
`
`the temuorarily assigned IP address." [' 118
`patent, 1st paragraph of Background of the
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 421 of 484
`
`Panasonic-1012
`Page 1338 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`Invention section, emphasis added]
`
`Firewall 211 is programmed with a user's rule set
`
`correlated to an IP address. It would have been
`
`obvious that this IP address may be temporarily
`
`assigned. A first reason is this is simply combining
`
`prior art elements ( temporary IP addresses) to
`
`known methods ( assigning a user with an IP
`
`address) to yield predictable results. A second
`
`reason is this would allow dial-up users to
`
`temporarily connect their computers to the user site
`
`201, as suggested by the AP A systems.
`
`wherein the rule set contains at Coss et al. disclose the rule set contains at least one
`
`least one of a plurality of
`
`of a plurality of functions used to control data
`
`functions used to control data
`
`passing between the user and a public network.
`
`passing between the user and a
`
`public network;
`
`For instance, the rule set (rule table of Figure 3)
`
`contains at least one (Rule No. 20) of a plurality of
`
`functions ( categories listed in column 4, line 35 to
`
`column 5, line 35) used to control (action=DROP in
`
`this example) data passing between the user (Source
`
`host=" A") and a public network ( destination
`
`host="*" which includes all hosts on the Internet
`
`105).
`
`wherein the redirection server is Coss et al. disclose the firewall 211 is configured to
`
`configured to allow automated
`
`allow automated modification of at least a portion
`
`modification of at least a
`
`of the rule set correlated to the assigned network
`
`portion of the rule set correlated address:
`
`to the temporarily assigned
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 422 of 484
`
`Panasonic-1012
`Page 1339 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`network address;
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`"Dynamic rules can include unique, current
`
`information such as, for example, specific source
`
`and destination port numbers. They can be loaded at
`
`any time by trusted parties, e.g., a trusted
`
`application, remote proxy or firewall administrator,
`
`to authorize specific network sessions." [8:26-31]
`
`"The dynamic rules allow a given rule set to be
`
`modified based on events happening in the network
`
`without requiring that the entire rule set be
`
`reloaded." [8:34-36, emphasis added]
`
`"Source host group identifier or IP address" [ 4:39,
`
`emphasis added]
`
`"Destination host group identifier or IP address"
`
`[4:40, emphasis added]
`
`However, Coss et al. do not explicitly disclose the
`
`firewall 211 is configured to allow automated
`
`modification of at least a portion of the rule set
`
`correlated to the temporarily assigned network
`
`address.
`
`Firewall 211 is programmed with a user's rule set
`
`correlated to an IP address. As explained above, it
`
`would have been obvious that this IP address may
`
`be temporarily assigned. A first reason is this is
`
`simply combining prior art elements (temporary IP
`
`addresses) to known methods ( assigning a user with
`
`an IP address) to yield predictable results. A second
`
`reason is this would allow dial-up users to
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 423 of 484
`
`Panasonic-1012
`Page 1340 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`temporarily connect their computers to the user site
`
`201, as suggested by the AP A systems.
`
`wherein the redirection server is Coss et al. disclose the firewall 211 is configured to
`
`configured to allow automated
`
`allow automated modification of at least a portion
`
`modification of at least a
`
`of the rule set as a function of some combination of
`
`portion of the rule set as a
`
`time, data transmitted to or from the user, or
`
`function of some combination
`
`location the user accesses:
`
`of time, data transmitted to or
`
`from the user, or location the
`
`user accesses; and
`
`"In accordance with a fourth aspect of the
`
`invention, a computer network firewall may make
`
`use of dynamic rules which are added to a set of
`
`access rules for processing packets. The dynamic
`
`rules allow a given rule set to be modified based
`
`on events ha1mening in the network without
`
`reguiring that the entire rule set be reloaded.
`
`Exemplary dynamic rules include a "one-time"
`
`rule which is only used for a single session, a
`
`time-limited rule which is used only for a
`
`specified time period, and a threshold rule which
`
`is used only when certain conditions are
`
`satisfied. Other types of dynamic rules include
`
`rules which define a host group, such that the host
`
`group can be modified to add or drop different
`
`hosts without altering other aspects of the access
`
`rule set." [2:29-41, emphasis added]
`
`"Dynamic rules can include unique, current
`
`information such as, for example, specific source
`
`and destination port numbers. They can be loaded at
`
`any time by trusted parties, e.g., a trusted
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 424 of 484
`
`Panasonic-1012
`Page 1341 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`application, remote proxy or firewall administrator,
`
`to authorize specific network sessions." [8:26-31]
`
`"For example, an FTP proxy application could
`
`use a dynamic rule to authorize establishment of an
`
`FTP data channel in response to a data request. The
`
`dynamic rule in this example would typically not be
`
`loaded until a data reguest is made over the FTP
`
`control session, and could be limited to one use
`
`and made active for only a limited time period."
`
`[8:48-52, emphasis added]
`
`wherein the modified rule set
`
`Coss et al. disclose that the rule set includes an
`
`includes an initial temporary
`
`initial temporary rule set and a standard rule set,
`
`rule set and a standard rule set,
`
`and wherein the redirection server is configured to
`
`and wherein the redirection
`
`utilize the temporary rule set for an initial period of
`
`server is configured to utilize
`
`time and to thereafter utilize the standard rule set.
`
`the temporary rule set for an
`
`initial period of time and to
`
`thereafter utilize the standard
`
`rule set.
`
`For instance, Coss et al. disclose:
`
`"Exemplary dynamic rules include a 'one-time' rule
`
`which is only used for a single session, a time-
`
`limited rule which is used only for a specified
`
`time period, and a threshold rule which is used
`
`only when certain conditions are satisfied." [8:37-
`
`40, emphasis added]
`
`Accordingly, Coss et al. disclose utilizing an initial
`
`rule set being a set of rules including the time-
`
`limited rule before the specified time period has
`
`expired, and utilizing a standard rule set being the
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 425 of 484
`
`Panasonic-1012
`Page 1342 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`set of rules not including the time-limited rule after
`
`the specified time period has expired.
`
`However, Coss et al. do not explicitly disclose that
`
`the modified rule set includes an initial temporary
`
`rule set and a standard rule set, and wherein the
`
`redirection server is configured to utilize the
`
`temporary rule set for an initial period of time and
`
`to thereafter utilize the standard rule set.
`
`It would have been obvious that the modified rule
`
`set includes an initial temporary rule set and a
`
`standard rule set, and wherein the redirection server
`
`is configured to utilize the temporary rule set for an
`
`initial period of time and to thereafter utilize the
`
`standard rule set. For example, applying a known
`
`technique (dynamic rule modification) to a known
`
`device (firewall 211 programmed to utilize the
`
`temporary rule set for an initial period of time and
`
`to thereafter utilize the standard rule set) yields
`
`predictable results that the modified rule set may
`
`also cause the firewall 211 to utilize the temporary
`
`rule set for an initial period of time and to thereafter
`
`utilize the standard rule set.
`
`38.
`
`A system comprising:
`
`Coss et al. illustrate a system in Figure 2
`
`a redirection server
`
`Coss et al. disclose firewall 211 is programmed
`
`programmed with a user's rule
`
`with a user's rule set correlated to an assigned
`
`set correlated to a temporarily
`
`network address. Firewall 211 is also connected
`
`between the user's computer (at user site 201) and
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 426 of 484
`
`Panasonic-1012
`Page 1343 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`assigned network address;
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`the Internet 105, and controls the user's access to
`
`the Internet 105 by utilizing redirection
`
`functionality.
`
`For instance, Coss et al. disclose:
`
`"FIG. 2 shows a user site 201 connected to the
`
`Internet 105 via a firewall processor 211." [3:53-
`
`54]
`
`"With a capability for supporting multiple security
`
`domains, a single firewall can su1mort multi_ule
`
`users~ each with a se_uarate securitv _uolic:y."
`
`[3:31-33, emphasis added]
`
`The security policies can be represented by sets of
`
`access rules which are re_uresented in tabular
`
`form and which are loaded into the firewall by a
`
`firewall administrator. As illustrated in FIG. 3, such
`
`a table can provide for categories including rule
`
`number, designations of source and destination
`
`hosts, a designation of a special service which can
`
`be called for in a packet, and a specification of an
`
`action to be taken on a packet.
`
`"Source host group identifier or IP address" [ 4:39,
`
`emphasis added]
`
`"Destination host group identifier or IP address"
`
`[4:40, emphasis added]
`
`"This invention relates to the _urevention of
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 427 of 484
`
`Panasonic-1012
`Page 1344 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`unauthorized access in com_uuter networks and,
`
`more particularly, to firewall protection within
`
`computer networks." [1 :6-8, emphasis added]
`
`"Dynamic rules are rules which are included with
`
`the access rules as a need arises, for processing
`
`along with the access rules, e.g., by a rule
`
`processing engine. Dynamic rules can include
`
`unique, current information such as, for example,
`
`specific source and destination port numbers. They
`
`can be loaded at any time by trusted _uarties~ e.g.~
`
`a trusted a_u_ulication~ remote _uroxy or firewall
`
`administrator~ to authorize s_uecific network
`
`sessions." [8 :24-31, emphasis added]
`
`"To unburden the firewall of application proxies,
`
`the firewall can be enabled to redirect a network
`
`session to a separate server for processing."
`
`[Abstract, emphasis added]
`
`"Proxy reflection in accordance with the present
`
`invention involves redirecting a network session to
`
`another, "remote" proxy server for processing, and
`
`then later passing it back via the firewall to the
`
`intended destination. When a new session enters the
`
`firewall, a decision is made to determine whether
`
`service by a proxy server is required. If so, the
`
`firewall re_ulaces the destination address in the
`
`_uacket with the host address of the _uroxy
`
`a_u_ulication and~ if necessary~ it can also change
`
`the service _uort." [Coss et al., col. 8, lines 56-65,
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 428 of 484
`
`Panasonic-1012
`Page 1345 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`emphasis added]
`
`However, Coss et al. do not explicitly disclose the
`
`firewall 211 is programmed with a user's rule set
`
`correlated to a temporarily assigned network
`
`address.
`
`It is well known that dial-up users are often
`
`provided with a temporarily assigned IP address.
`
`For example, admitted prior art (APA) systems are
`
`described in the '118 patent as follows:
`
`"In prior art systems as shown in FIG. 1 when an
`
`Internet user establishes a connection with an
`
`Internet Service Provider (ISP), the user first makes
`
`a physical connection between their computer 100
`
`and a dial-up networking server 102, the user
`
`provides to the dial-up networking server their user
`
`ID and password. The dial-up networking server
`
`then passes the user ID and password, along with a
`
`temuorary Internet Protocol (IP) address for use
`
`by the user to the ISP's authentication and
`
`accounting server 104. A detailed description of the
`
`IP communications protocol is discussed in
`
`Internetworking with TCP/IP, 3rd ed., Douglas
`
`Comer, Prentice Hall, 1995, which is fully
`
`incorporated herein by reference. The
`
`authentication and accounting server, upon
`
`verification of the user ID and password using a
`
`database 106 would send an authorization message
`
`to the dial-up networking server 102 to allow the
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 429 of 484
`
`Panasonic-1012
`Page 1346 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`user to use the temuorary IP address assigned to
`
`that user by the dial-uu networking server and
`
`then logs the connection and assigned IP address.
`
`For the duration of that session, whenever the user
`
`would make a request to the Internet 110 via a
`
`gateway 108, the end user would be identified by
`
`the temuorarily assigned IP address." [' 118
`patent, 1st paragraph of Background of the
`
`Invention section, emphasis added]
`
`Firewall 211 is programmed with a user's rule set
`
`correlated to an IP address. It would have been
`
`obvious that this IP address may be temporarily
`
`assigned. A first reason is this is simply combining
`
`prior art elements ( temporary IP addresses) to
`
`known methods ( assigning a user with an IP
`
`address) to yield predictable results. A second
`
`reason is this would allow dial-up users to
`
`temporarily connect their computers to the user site
`
`201, as suggested by the AP A systems.
`
`wherein the rule set contains at Coss et al. disclose the rule set contains at least one
`
`least one of a plurality of
`
`of a plurality of functions used to control data
`
`functions used to control data
`
`passing between the user and a public network.
`
`passing between the user and a
`
`public network;
`
`For instance, the rule set (rule table of Figure 3)
`
`contains at least one (Rule No. 20) of a plurality of
`
`functions ( categories listed in column 4, line 35 to
`
`column 5, line 35) used to control (action=DROP in
`
`this example) data passing between the user (Source
`
`host=" A") and a public network ( destination
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 430 of 484
`
`Panasonic-1012
`Page 1347 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`host="*" which includes all hosts on the Internet
`
`105).
`
`wherein the redirection server is Coss et al. disclose the firewall 211 is configured to
`
`configured to allow automated
`
`allow automated modification of at least a portion
`
`modification of at least a
`
`of the rule set correlated to the assigned network
`
`portion of the rule set correlated address:
`
`to the temporarily assigned
`
`network address;
`
`"Dynamic rules can include unique, current
`
`information such as, for example, specific source
`
`and destination port numbers. They can be loaded at
`
`any time by trusted parties, e.g., a trusted
`
`application, remote proxy or firewall administrator,
`
`to authorize specific network sessions." [8:26-31]
`
`"The dynamic rules allow a given rule set to be
`
`modified based on events happening in the network
`
`without requiring that the entire rule set be
`
`reloaded." [8:34-36, emphasis added]
`
`"Source host group identifier or IP address" [ 4:39,
`
`emphasis added]
`
`"Destination host group identifier or IP address"
`
`[4:40, emphasis added]
`
`However, Coss et al. do not explicitly disclose the
`
`firewall 211 is configured to allow automated
`
`modification of at least a portion of the rule set
`
`correlated to the temporarily assigned network
`
`address.
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 431 of 484
`
`Panasonic-1012
`Page 1348 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`Firewall 211 is programmed with a user's rule set
`
`correlated to an IP address. As explained above, it
`
`would have been obvious that this IP address may
`
`be temporarily assigned. A first reason is this is
`
`simply combining prior art elements (temporary IP
`
`addresses) to known methods ( assigning a user with
`
`an IP address) to yield predictable results. A second
`
`reason is this would allow dial-up users to
`
`temporarily connect their computers to the user site
`
`201, as suggested by the AP A systems.
`
`wherein the redirection server is Coss et al. disclose the firewall 211 is configured to
`
`configured to allow automated
`
`allow automated modification of at least a portion
`
`modification of at least a
`
`of the rule set as a function of some combination of
`
`portion of the rule set as a
`
`time, data transmitted to or from the user, or
`
`function of some combination
`
`location the user accesses:
`
`of time, data transmitted to or
`
`from the user, or location the
`
`user accesses; and
`
`"In accordance with a fourth aspect of the
`
`invention, a computer network firewall may make
`
`use of dynamic rules which are added to a set of
`
`access rules for processing packets. The dynamic
`
`rules allow a given rule set to be modified based
`
`on events ha1mening in the network without
`
`reguiring that the entire rule set be reloaded.
`
`Exemplary dynamic rules include a "one-time"
`
`rule which is only used for a single session, a
`
`time-limited rule which is used only for a
`
`specified time period, and a threshold rule which
`
`is used only when certain conditions are
`
`satisfied. Other types of dynamic rules include
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 432 of 484
`
`Panasonic-1012
`Page 1349 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`rules which define a host group, such that the host
`
`grou_u can be modified to add or dro_u different
`
`hosts without altering other aspects of the access
`
`rule set." [2:29-41, emphasis added]
`
`"Dynamic rules can include unique, current
`
`information such as, for example, specific source
`
`and destination port numbers. They can be loaded at
`
`any time by trusted parties, e.g., a trusted
`
`application, remote proxy or firewall administrator,
`
`to authorize specific network sessions." [8:26-31]
`
`"For example, an FTP _uroxy a_u_ulication could
`
`use a dynamic rule to authorize establishment of an
`
`FTP data channel in response to a data request. The
`
`dynamic rule in this example would typically not be
`
`loaded until a data reguest is made over the FTP
`
`control session, and could be limited to one use
`
`and made active for only a limited time _ueriod."
`
`[8:48-52, emphasis added]
`
`wherein the modified rule set
`
`Coss et al. disclose that the rule set includes at least
`
`includes at least one rule
`
`one rule allowing access based on a request type
`
`allowing access based on a
`
`and a destination address.
`
`request type and a destination
`
`address.
`
`For instance, Coss et al. disclose:
`
`Rule No. 40 in Figure 3 allowing access (i.e., action
`
`= "PASS") based on a request type of "MAIL" and
`
`a destination host of "D".
`
`"In FIG. 3, the categories "Source Host,"
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 433 of 484
`
`Panasonic-1012
`Page 1350 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`"Destination Host" and "Service" impose conditions
`
`which must be satisfied by data included in a packet
`
`for the specified action to be taken on that packet."
`
`[4:2-11, emphasis added]
`
`However, Coss et al. do not explicitly disclose that
`
`the modified rule set includes at least one rule
`
`allowing access based on a request type and a
`
`destination address
`
`It would have been obvious that the modified rule
`
`set includes at least one rule allowing access based
`
`on a request type and a destination address. For
`
`example, applying a known technique ( dynamic
`
`rule modification) to a known device (firewall 211
`
`programmed with rule set including at least one rule
`
`allowing access based on a request type and a
`
`destination address) yields predictable results that
`
`the firewall is programmed with a modified rule set
`
`including at least one rule allowing access based on
`
`a request type and a destination address.
`
`39.
`
`A system comprising:
`
`Coss et al. illustrate a system in Figure 2
`
`a redirection server
`
`Coss et al. disclose firewall 211 is programmed
`
`programmed with a user's rule
`
`with a user's rule set correlated to an assigned
`
`set correlated to a temporarily
`
`network address. Firewall 211 is also connected
`
`assigned network address;
`
`between the user's computer (at user site 201) and
`
`the Internet 105, and controls the user's access to
`
`the Internet 105 by utilizing redirection
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 434 of 484
`
`Panasonic-1012
`Page 1351 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`functionality.
`
`For instance, Coss et al. disclose:
`
`"FIG. 2 shows a user site 201 connected to the
`
`Internet 105 via a firewall processor 211." [3:53-
`
`54]
`
`"With a capability for supporting multiple security
`
`domains, a single firewall can su1mort multiple
`
`users~ each with a separate securitv policy."
`
`[3:31-33, emphasis added]
`
`The security policies can be represented by sets of
`
`access rules which are represented in tabular
`
`form and which are loaded into the firewall by a
`
`firewall administrator. As illustrated in FIG. 3, such
`
`a table can provide for categories including rule
`
`number, designations of source and destination
`
`hosts, a designation of a special service which can
`
`be called for in a packet, and a specification of an
`
`action to be taken on a packet.
`
`"Source host group identifier or IP address" [ 4:39,
`
`emphasis added]
`
`"Destination host group identifier or IP address"
`
`[4:40, emphasis added]
`
`"This invention relates to the prevention of
`
`unauthorized access in computer networks and,
`
`more particularly, to firewall protection within
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 435 of 484
`
`Panasonic-1012
`Page 1352 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`computer networks." [1 :6-8, emphasis added]
`
`"Dynamic rules are rules which are included with
`
`the access rules as a need arises, for processing
`
`along with the access rules, e.g., by a rule
`
`processing engine. Dynamic rules can include
`
`unique, current information such as, for example,
`
`specific source and destination port numbers. They
`
`can be loaded at any time by trusted _uarties~ e.g.~
`
`a trusted a_u_ulication~ remote _uroxy or firewall
`
`administrator~ to authorize s_uecific network
`
`sessions." [8 :24-31, emphasis added]
`
`"To unburden the firewall of application proxies,
`
`the firewall can be enabled to redirect a network
`
`session to a separate server for processing."
`
`[Abstract, emphasis added]
`
`"Proxy reflection in accordance with the present
`
`invention involves redirecting a network session to
`
`another, "remote" proxy server for processing, and
`
`then later passing it back via the firewall to the
`
`intended destination. When a new session enters the
`
`firewall, a decision is made to determine whether
`
`service by a proxy server is required. If so, the
`
`firewall re_ulaces the destination address in the
`
`_uacket with the host address of the _uroxy
`
`a_u_ulication and~ if necessary~ it can also change
`
`the service _uort." [Coss et al., col. 8, lines 56-65,
`
`emphasis added]
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 436 of 484
`
`Panasonic-1012
`Page 1353 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`However, Coss et al. do not explicitly disclose the
`
`firewall 211 is programmed with a user's rule set
`
`correlated to a temporarily assigned network
`
`address.
`
`It is well known that dial-up users are often
`
`provided with a temporarily assigned IP address.
`
`For example, admitted prior art (APA) systems are
`
`described in the '118 patent as follows:
`
`"In prior art systems as shown in FIG. 1 when an
`
`Internet user establishes a connection with an
`
`Internet Service Provider (ISP), the user first makes
`
`a physical connection between their computer 100
`
`and a dial-up networking server 102, the user
`
`provides to the dial-up networking server their user
`
`ID and password. The dial-up networking server
`
`then passes the user ID and password, along with a
`
`temuorary Internet Protocol (IP) address for use
`
`by the user to the ISP's authentication and
`
`accounting server 104. A detailed description of the
`
`IP communications protocol is discussed in
`
`Internetworking with TCP/IP, 3rd ed., Douglas
`
`Comer, Prentice Hall, 1995, which is fully
`
`incorporated herein by reference. The
`
`authentication and accounting server, upon
`
`verification of the user ID and password using a
`
`database 106 would send an authorization message
`
`to the dial-up networking server 102 to allow the
`
`user to use the temuorary IP address assigned to
`
`Request for ex parte reexamination of U.S. Patent No. 6,779,118
`Page 437 of 484
`
`Panasonic-1012
`Page 1354 of 1408
`
`
`
`Claim
`No.
`
`Claim language
`
`Corresponding features disclosed by Coss et al.
`in view of admitted prior art (APA)
`that user by the dial-u_u networking server and
`
`then logs the connection and assigned IP address.
`
`For the duration of that session, whenever the user
`
`would make a request to the Internet 110 via a
`
`gateway 108, the end user would be identified by
`
`the tem_uorar