Application/Control Number: 95/002,035 and 90/012,342
`Art Unit: 3992
`
`Page 53
`
`al. also disclose that after a user of the newly connected client logs in, the filter sequence
`associated with the client device is changed to another sequence. For example:
`
`"The SMS maintains a series of filtering profiles, each of which includes one or more of filtering
`rules. The SMS sets a default filter sequence for the newly connected client system by
`downloading the sequence by the SMS to the ANCS .... Subsequently, the packet filter uses the
`rules of the login filtering profile sequence to selectively forward or discard IP packets
`originating from the client system. This filtering sequence will allow newly connected client
`systems to perform login but nothing else." (3 :5- 22, emphasis added]
`
`"A preferred embodiment of the present invention also generates or selects filtering profiles for
`users. With the login filtering profile sequence in place, a user can use the newly connected
`.client system to login to the network. The user login is monitored by the SMS. If the user login
`is successful, the SMS selects or generates a user filtering profile sequence. The user filtering
`profile sequence is then downloaded by the SMS to the ANCS .... Subsequently, the new packet
`filter uses the rules of the user filtering profile sequence to selectively forward or discard IP
`packets originating from the client system." [3:34-50, emphasis added]
`
`However, Radia et al. do not explicitly disclose utilizing the login filtering sequence for an
`initial period of time. (Instead Radia et al. only disclose utilizing the login filtering sequence
`until the user logs in.)
`
`Coss et al. disclose that the individualized rule set includes an initial temporary rule set and a
`standard rule set, and wherein the firewall 211 is configured to utilize the temporary rule set for
`an initial period of time and to thereafter utilize the standard rule set.
`
`For instance, Coss et al. disclose:
`
`"Exemplary dynamic rules include a 'one-time' rule which is only used for a single session; a
`time-limited rule which is used only for a specified time period, and a threshold rule which is
`used only when certain conditions are satisfied." [8:37-40, emphasis added]
`
`Accordingly, Coss et al. disclose utilizing an initial rule set being a set of rules including the
`time-limited rule before the specified time period has expired, and utilizing a standard rule set
`being the set of rules not including the time-limited rule after the specified time period has
`expired.
`
`Since each individual element and its function are shown in the prior art, albeit shown in. separate
`references, the difference between the claimed subject matter and the prior art rests not on any
`individual element or function but in the very combination itself-that is in the substitution of the
`firewall 211 of Coss for the router I 06 in Fig. I of Radia. Thus, the simple substitution of one
`
`Panasonic-1014
`Page 451 of 1980
`
`

`

`Application/Control Number: 95/002,035 and 90/012,342
`Art Unit: 3992
`
`Page 54
`
`known element (i.e. firewall 211 for the router 106) for another producing a predictable result
`renders the claim obvious.
`
`53. The system of claim 1, wherein the individualized rule set includes at least one rule
`allowing access based on a request type and a destination address.
`
`Radia et al. disclose that the individualized rule set includes at least one rule allowing access
`based on a type of IP (Internet Protocol) packet and destination address.
`
`For instance, Radia et al. disclose:
`
`"In FIG. 5; it may be seen that each filtering rule 404 includes an action 500. Action 500
`specifies the disposition of IP packets that match by a particular filtering rule 404. In particular,
`action 500 may indicate that a matched IP packet will be forwarded, or that a matched IP
`packet will be discarded." [6:14-18]
`
`"Filtering rule 404 also includes a protocol type 506. Protocol type 506 corresponds to the
`protocol type of an IP packet. Thus, the protocol type 506 of each filtering rule 404 has a value
`that corresponds to an IP packet type, such as TCP, UDP, ICMP, etc. To match a particular
`filtering rule 404, an IP packet must have a protocol" type that matches the protocol type 506
`included in the filtering rule 404" [6:30-36, emphasis added]
`
`"Filtering rule 404 also includes a destination IP address 502 and a destination IP mask 504.
`Destination IP address 502 corresponds to the destination address included in the header of an IP
`packet. Destination IP mask 504 is similar to destination IP address 502 but corresponds to a
`range of dest.ination addresses. To match a particular filtering rule 404, an IP packet must
`either have a destination address that matches the destination address 502 included in the
`filtering rule 404 or have a destination address that is covered by the destination address mask
`504 of the filtering rule 404." [6:18-29, emphasis added]
`·
`
`·
`
`However, Radia et al. do not explicitly disclose the individualized rule set includes at least one
`. rule allowing access based on a request type and a destination address.
`
`Coss et al. disclose that the individualized rule set includes at least one rule allowing access
`based on a request type and a destination address.
`
`For instance, Coss et al. disclose:
`
`Rule No. 40 in Figure 3 allowing access (i.e., action= "PASS") based on a request type of
`"MAIL" and a destination host of "D".
`
`"In FIG. 3, the categories "Source Host," "Destination Host" and "Service" impose conditions
`which must be satisfied by data included in a packet for the specified action to be taken on that
`packet." [4:2-11, emphasis added]
`
`Panasonic-1014
`Page 452 of 1980
`
`

`

`Application/Control Number: 95/002,035 and 90/012,342
`Art Unit: 3992
`
`Page 55
`
`Since each individual element and its function are shown in the prior art, albeit shown in separate
`references, the difference between the claimed subject matter and the prior art rests not on any
`individual element or function but in the very combination itself-that is in the substitution of the
`firewall 211 of Coss for the router 106 in Fig. 1 of Radia. Thus, the simple substitution of one
`. known element (i.e. firewall 211 for the router 106) for another producing a predictable result
`renders the claim obvious.
`
`54. The system of claim 44, wherein the individualized rule set includes at least one rule
`.
`redirecting the data to a new destination address based on a request type and an attempted
`destination address.
`
`.
`
`Radia et al. do not explicitly disclose that the individualized rule set includes at least one rule ·
`redirecting the data to a new destination address based on a request type and an attempted
`destination address.
`
`However, Coss et al. disclose that the individualized rule set include.s at least one rule
`redirecting the data to a new destination address based on a request type and an attempted
`destination address.
`
`For instance, Coss et al. disclose:
`
`Rule No. 30 in Figure 3 redirecting data (i.e., action
`"TELNET" and attempted destination host of "C".
`
`"PROXY") based on a request type of
`
`"In FIG. 3, the categories "Source Host," "Destination Host" and "Service" impose conditions
`which must be satisfied by data included in a packet for the specified action to be taken on that
`packet." [4:2-11, emphasis added]
`
`Since each individual element and its function are shown in the prior art, albeit shown in separate
`references, the difference between the claimed subject mat1:er and the prior art rests not on any
`individual element or function but in the very combination itself-that is in the substitution of the
`firewall 211 of Coss for the router 106 in Fig. 1 of Radia. Thus, the simple substitution of one
`known element (i.e. firewall 211 for the router 106) for another producing a predictable result
`renders the claim obvious.
`
`55. The ~ystem of claim 44, wherein the redirection server is configured to redirect data
`from
`the users' computers by replacing a first destination address in an IP (Internet protocol)
`packet ~eader by a second destination address as a function of the individualized rule set.
`
`Radia et al. do not disclose that the redirection server is configured to redirect data from the users
`computers by replacing a first destination address in an IP (Internet protocol) packet header by a
`second destination address as a function of the individualized rule set.
`
`Panasonic-1014
`Page 453 of 1980
`
`

`

`Application/Control Number: 95/002,035 and 90/012,342
`Art Unit: 3992
`
`Page 56
`
`However, Coss et al. disclose that firewall 211 is configured to redirect data from the users'
`computers by replacing a first destination address in an IP (Internet protocol) packet header by a
`second destination address as a function of the individualized rule set.
`
`For instance, Coss et al. disclose:
`
`"As illustrated in FIG. 3, such a table can provide for categories including rule number,
`designations of source and destination hosts, a designation of a special service which can be
`called for in a packet, and a specification of an action to be taken on a packet." [ 4: 1-6,
`emphasis added]
`
`"1004: if the action indicates a remote proxy, the packet's destination address is replaced with the
`address of the remote proxy; if configured, the destination port can be changed as well; the
`original packet header data is recorded in the session cache along with any changed values;"
`[9:39-44, emphasis added]
`
`Since each individual element and its function are shown in the prior art, albeit shown in separate
`references, the difference between the claimed subject matter and the prior art rests not on any
`individual element or function but in the very combination itself-that is in the substitution of the
`firewall 211 of Coss for the router 106 in Fig. 1 of Radia. Thus, the simple substitution of one
`known element (i.e. firewall 211 for the router 106) for another producing a predictable result
`renders the claim obvious.
`
`56. In a system comprising
`
`Radia et al. Figure I: computer network 100 is a system
`
`a database with entries correlating each of a plurality of user IDs with an individualized
`rule set;
`
`Radia et al. Figure 3: filtering profiles 316 are a database with entries correlating each of a
`plurality of user IDs with an individualized rule set.
`
`For instance, Radia et al. disclose:
`
`"In step 908, which follows, a sequence of filtering profiles 400 associated with the user are
`retrieved, by SMS 114, from filtering profile database 316. In general, it may be appreciated
`that various users of network 100 will have varying types of allowed access. As a result, different
`network users will require different filtering profiles 400. Generally, these filtering profiles 400
`are defined separately for each user using either automatic or manual generation techniques. For
`the present invention, these filtering profiles 400 are preferably maintained in filtering profile
`database 316 and retrieved using the identity of the particular user." [9:46-56, emphasis
`added]
`
`Panasonic-1014
`Page 454 of 1980
`
`

`

`Application/Control Number: 95/002,035 and 90/012,342
`Art Unit: 3992
`
`Page 57 ·
`
`a dial-up network server that receives user IDs from users' computers;
`
`Radia et al. disclose in Figure 1 that modems 104 (which may be telephone - i.e., dial-up) and
`DHCP server 110 establish a communications link with the user's PC. A login applet on the
`user's computer (one of PCs 102) allows users to login to the network 100.
`
`For instance, Radia et al. disclose:
`
`"A cable modem 104 is connected to each client system 102." [1: 11-12, emphasis added]
`
`"For example, an internet service provider (ISP) may have users who connect, login, logoff and
`disconnect to its network over time telephone or able moderns." [2:45-48, emphasis
`added]
`
`"The client systems, which are typically personal computers using cable modems, connect to the
`router. As part of the connection process, each client system receives a dynamically
`allocated IP address from the DHCP server." [2:67-3:4, emphasis added]
`
`"For a preferred embodiment of network 100, user logins are handled by downloading small,
`specifically tailored applications, known as "login applets," to client systems 102. The login
`applets are downloaded from a server system, such as server system 108, or in some cases, from
`SMS 114." [8:30~34, emphasis.added]
`
`"More specifically, as discussed with regard to method 700, for a preferred embodiment of
`network 100, users login to network 100 using a login applet that communicates with a login
`server, such as SMS 114." [9:39-42, emphasis added]
`
`However, Radia et al. do not explicitly disclose a dial-up network server that receives user IDs
`from users' computers.
`
`Admitted prior art (APA) systems in Figure 1 of the '118 patent include a dial-up networking
`server 102 that receives user IDs from users' computers I 00.
`
`The APA systems are described as follows:
`
`"In prior art systems as shown in FIG. 1 when an Internet user establishes a connection with an
`Internet Service Provider (ISP), the user first makes a physical connection between their
`computer 100 and a dial-up networking server 102, the user provides to the dial-up
`networking server their user ID and password. The dial-up networking server then passes the
`user ID and password, along with a temporary Internet Protocol (IP) address for use by the user
`to the ISP's authentication and accounting server I 04. A detailed description of the IP
`communications protocol is discussed in Internetworking with TCP/IP, 3rd ed., Douglas Comer,
`Prentice Hall, 1995, which is fully incorporated herein by reference. The authentication and
`accounting server, upon verification of the user ID and password using ·a database 106 would
`
`Panasonic-1014
`Page 455 of 1980
`
`

`

`Application/Control Number: 95/002,035 and 90/012,342
`Art Unit: 3992
`
`Page 58
`
`send an authorization message to the dial-up networking server 102 to allow the user to use the
`temporary IP address assigned to that user by the dial-up networking server and then logs
`the connection and assigned IP address." [" 118 patent, I st paragraph of Background of the
`Invention section, emphasis added]
`
`It would have been obvious to substitute the DHCP server 110 and login applet disclosed by
`Radia et al with the dial-up networking server 102 included in the APA systems to thereby obtain
`the predictable results of: 1) allowing dial-up users to login through the dial-up networking
`server rather than through at applet running on the user's computer, and 2)
`assigning a temporary IP.address to the user's computer by the dial-up networking server 102
`rather than by the DHCP server 110.
`
`a redirection server connected between the dial-up network server and a public network,
`and
`
`Radia et al. Figure 1 : router 106 is connected to the dial-up network server (substituted for
`DHCP server 110 and login applet) and server systems 108 of the network I 00. Router I 06 is
`similar to a redirection server because router 106 is connected between the user's computer (PC
`102) and the network's server systems I 08, and controls the user's access to the network's server
`systems 108.
`
`Radia et al. further disclose that the network is a public network such as the Internet:
`
`"For example, assume that a company uses a router to link its internal intranet with an external
`network, such as the Internet." [2:5-7, emphasis added]
`·
`
`However, Radia et al. do not explicitly disclose that the router 106 controls the user's access to
`the public network by utilizing redirection functionality.
`
`Coss et al. disclose a firewall that is connected between a user's computer and a public network
`that controls the user's access to t~e network by utilizing redirection functionality.
`
`For instance, Coss et al. disclose:
`
`"FIG. 2 shows a user site 201 connected to the Internet 105 via a firewall processor 211 ." [3:53-
`54]
`
`"This invention relates to the prevention of unauthorized access in computer networks and,
`more particularly, to firewall protection within computer networks." [I :6-8, emphasis]
`
`"Dynamic rules are rules which are included with the access rules as a need arises, for processing
`along with the access rules, e.g., by a rule processing engine. Dynamic rules can include unique,
`current information such as, for example, specific source and destination port numbers. They can
`
`Panasonic-1014
`Page 456 of 1980
`
`

`

`Application/Control Number: 95/002,035 and 90/012,342
`Art Unit: 3992
`
`Page 59
`
`be loaded at any time by trusted parties, e.g., a trusted application, remote proxy or
`firewall administrator, to authorize specific network sessions." [8:24-31, emphasis added]
`
`"To unburden the firewall of application proxies, the firewall can be enabled to redirect a
`network session to a separate server for processing." [ Abstract, emphasis added]
`
`"Proxy reflection in accordance with the. present invention involves redirecting a network session
`to another, "remote" proxy server for processing, and then later passing it back via the firewall to
`the intended destination. When a new session enters the firewall, a decision is made to determine
`whether service by a proxy server is required. If so, the firewall replaces the destination
`address in the packet with the host address of the proxy application and, if necessary, it can
`also change the service port." [Coss et al., col. 8, lines 56-65,
`emphasis added]
`
`It would be obvious to replace the router 106 of Radia et al. with the :firewall 211 of Coss et al. to
`not only allow discarding and forwarding traffic as taught by Radia et al., but to also allow
`controlling the user's access to the network by redirecting traffic at the :firewall 211 to thereby
`prevent the router 106 from having to utilize application proxies, as suggested by Coss et al.
`
`Radia et al. further disclose that other networking technologies may be used instead of router
`106, stating:
`
`"The use of cable router 106 and cable modems 1 0d is also intended to be exemplary and it
`should be appreciated that other networking technologies and topologies are equally
`practical." [ 1: 13-16, emphasis added]
`
`Therefore, it would have been further obvious to a person of ordinary skill in the art that the
`firewall 211 of Coss et al. could substitute the router 106 because the firewall 211 disclosed by
`Coss et al. is another type of networking technology and Radia et al. suggest other types of
`network technology is equally practical.
`
`It would have been further obvious that simple substitution of the known firewall 211 for the
`router 106 obtains predictable results that the network 100 of Radia et al. may now benefit from
`the redirection functionality included in firewall 211.
`
`an authentication accounting server connected to the database, the dial-up network
`server and the redirection server,
`
`Radia et al. Figure 1 disclose access network control server ANCS 112 and services management
`system SMS 114 together are an authentication accounting server because ANCS 112 and SMS
`114 are connected to the database (:filtering profiles 316 within SMS 114 - see Figure 3), the dial(cid:173)
`up network server (substituted for DHCP server 110 and login applet), and the redirection server
`(Coss' :firewall 211 in the position of router 106 in Radia's
`FIG. 1).
`
`Panasonic-1014
`Page 457 of 1980
`
`

`

`Application/Control Number: 95/002,035 and 90/012,342
`Art Unit: 3992
`
`Page 60
`
`Radia et al. further disclose that the ANCS 112 and SMS 114 determine whether a user ID is
`authorized to access the network.
`
`For instance, Radia et al. disclose:
`
`"FIG. 9 is a flowchart showing the steps associated with a preferred embodiment of a method for
`allocation of privileges to a user in a computer network." [ 4:59-61, emphasis added]
`
`"Method 900 includes step performed by SMS 114 and ANCS 112." [9:35-36, emphasis
`added]
`
`"In step 908, which follows, a sequence of filtering profiles 400 associated with the user are
`retrieved, by SMS 114, from filtering profile database 316. In general, it may be appreciated that
`various users of network 100 will have varying types of allowed access." [9:46-50, emphasis
`added]
`
`"In FIG. 1, ANCS 112 and SMS 114 are shown as separate entities. It should be appreciated,
`however, that the present invention specifically anticipates that ANCS 112 and SMS 114 maybe
`implemented using a single computer system that includes ANCS process 214, SMS process
`314 and filtering profile database 316." [5:65-6:4, emphasis added]
`
`a method comprising the steps of:
`
`Method disclosed by Radia et al. in Figure 9
`
`communicating a first user ID for one of the users' computers and a temporarily assigned
`network address for the first user ID from the dial-up network server to the authentication
`accounting server;
`
`Radia et al. disclose a login applet on a PC I 02 and the DHCP server 110 respectively
`communicate a first user ID (entered using the login applet) for one of the users' computers (one
`of PCs 102) and a temporarily assigned network address (dynamically assigned IP address) for
`the first user ID to the authentication accounting server (SMS 114).
`
`For instance, Radia et al. disclose the login applet communicates from PC 102 to SMS 114:
`
`"Method 900 begins with step 906 where SMS 114 waits for a user login. More specifically, as
`discussed with regard to method 700, for a preferred embodiment of network 100, users login to
`network 100 using a login applet that communicates with a login server, such as SMS 114."
`[9:37-42, emphasis added]
`
`Radia et al. also disclose the DHCP server 110 passes the temporarily assigned network address
`for the first user ID to the SMS 114:
`·
`
`Panasonic-1014
`Page 458 of 1980
`
`

`

`Application/Control Number: 95/002,035 and 90/012,342
`Art Unit: 3992
`
`Page 61
`
`'.'Method 700 begins with step 706 where SMS 114 waits for the allocation of an IP address to
`a client system 102. More specifically, for a preferred embodiment of network 100, power-on or
`reset of a client system 102 is followed by connection of the client system 102 to router 106. As
`part of this connection, the connecting client system 102 requests and receives a dynamically
`allocated IP address from DHCP server 110. This allocation requires that a number of messages
`pass between DHCP server 110 and the client system 102 requesting a new IP address. The last
`of these messages is a DHCPACK message sent by the DHCP server 110 to the client system
`102. To monitor the allocation of IP addresses, SMS 114 monitors DHCP messages within
`network 100. Step 706 corresponds, in a general sense, to the
`methods and procedures that are executed by SMS 114 to wait for and detect DHCPACK
`messages within network 100." [7:21-34, emphasis added]
`
`With reference to FIG. 9, it is inherent that the SMS 114 also receives the IP address of the client
`system 102 from the dial-up network server because Radia et al. disclose "At the same time,
`the IP address of the client system 102 acting as a host for the user is passed by the SMS
`114 to the ANCS 112." [9:62-64, emphasis added]
`
`Radia et al. further disclose that the IP address of the client system ( one of PCs 102) is
`temporarily assigned:
`
`"More specifically, in systems that use the DHCP protocol for allocation of IP addresses, each IP
`address is allocated for a finite period of time. Systems that do not renew their IP address leases
`may lose their allocated IP addresses." [7:51-55, emphasis added]
`
`However, Radia et al. do not explicitly disclose communicating a first user ID for one of the
`users' computers and a temporarily assigned network address for the first user ID from the dial-
`up network server to the authentication accounting server.
`·
`
`In the admitted prior art (APA) system of FIG. 1, the dial-up network server 102 communicates a
`first user ID for one of the users' computers 100 and a temporarily assigned network address for
`the first user ID to the authentication accounting server 104.
`
`For instance, the APA systems are described as follows:
`
`"The dial-up networking server then passes the user ID and password, along ·with a temporary
`Internet Protocol (IP) address for use by the user to the ISP's authentication and accounting
`server 104." (" 118 patent, 1st paragraph of Background of the Invention section, emphasis added]
`
`It would have been obvious to not remove these useful features of the AP A systems when
`substituting the AP A dial-up networking server 102 for the DHCI' server 110 and login applet in
`FIG .. 1 of Radia et al. This would have been obvious because simple substitution of the known
`dial-up networking server 102 for the DHCP server 110 and login applet obtains predictable
`results that the dial-up networking server 102 continues to include the above disclosed features.
`
`Panasonic-1014
`Page 459 of 1980
`
`

`

`Application/Control Number: 95/002,035 and 90/012,342
`Art Unit: 3992
`
`Page 62
`
`It would further have been obvious that the dial-up network server should continue to behave in
`this way because, rather than the SMS 114 receiving the user ID and IP address respectively
`from the login applet and DHCP server 110, the SMS l l4 would receive this information from
`the dial-up networking server, as suggested by the AP A
`
`communicating the individualized rule set that correlates with the first user ID
`and the temporarily assigned network address to the redirection server from the
`authentication accounting server;
`
`Radia et al. disclose the ANCS 112 and SMS 114 access the database 316 and communicate the
`(identity of the user) and the temporarily assigned network address (dynamic IP address) to the
`router 106.
`
`For instance, Radia et al. disclose:
`
`FIG. 9: step 906 "wait for user login", step 908 "retrieve user filter profile from database", step
`919 "download user profile to ancs", and step 920 "reconfigure network components"
`
`"In step 908, which follows, a sequence of filtering profiles 400 associated with the user are
`retrieved, by SMS 114, from filtering profile database 316". [9:46-48, emphasis added]
`
`"For the present invention, these filtering profiles 400 are preferably maintained in filtering
`profile database 316 and retrieved using the identity of the particular user." [9:53 -56,
`emphasis added]
`
`"Step 908 is followed by step 910 where the sequence of user filtering profiles 400 is
`downloaded by SMS 114 to ANCS 112. At the same time, the IP address of the client system
`102 acting as a host for the user is passed by the SMS 114 to the ANCS 112." [9:60-64, emphasis
`added]
`
`"In the following step, the ANCS 112 uses each of the filtering rules 404 included in the
`sequence of user filtering profiles 400 to establish a packet filter for IP packets originating
`from the client system 102 acting as a host for the user." [9:64-10: 1, emphasis added]
`
`"The packet filter is established by reconfiguring one or more of the components of the network
`100 that forward packets originating at the client system I 02 acting as a host for the user. For
`example, in some cases, the packet filter may be established by reconfiguring the modem 104
`connected to the client system 102. Alternatively, the packet filter may be established by
`reconfiguring router 106." [10:1-7, emphasis added]
`
`It is inherent that the "packet filter for Ii> packets originating from the client system 102"
`communicated to the router 106 includes the temporarily assigned (i.e., dynamic) IP address of
`the client system 102 in order to identify the IP packets originating from the client system 102.
`
`Panasonic-1014
`Page 460 of 1980
`
`

`

`Application/Control Number: 95/002,035 and 90/012,342
`Art Unit: 3992·
`
`Page 63
`
`However, Radia et al. do not explicitly disclose communicating the individualized rule set that
`correlates with ·the first user ID and the temporarily assigned network address to the redirection
`server from the ANCS 112 and SMS 114.
`
`It would have been obvious to have the ANCS 112 and SMS 114 access the database 316 and
`communicate the individualized rule set that correlates with the first user ID and the temporarily
`assigned network address to the firewall 211 of Coss ·et al. A first reason is Radia et al. teach
`reconfiguring one or more network components that forward packets originating at the client
`system 102, and the firewall 211 of Coss et al. is a network component that forwards packets
`originating at a client system. As such, Radia et al. suggest reconfiguring the firewall 211.
`
`It would have further been obvious to use a known technique (i.e., communicating an
`individualized rule set to thereby reconfiguring a router 106) to improve a similar device
`(firewall 211) in the same way.
`
`Additionally, Coss et al. disclose dynamic rules can be loaded into the firewall 211 at any time
`by trusted applications to thereby authorize specific network sessions. For instance, Coss et al.
`teach:
`
`"Dynamic rules can include unique, current information such as, for example, specific source
`and-destination port numbers. They can be loaded at any time by trusted parties, e.g., a trusted
`application, remote proxy or firewall administrator, to authorize specific network sessions."
`[8:26-31, emphasis added]
`
`It therefore would have further been obvious to have the ANCS 112 communicate the
`individualized rule set to the firewall 211 of Coss et al. because the ANCS 112 is a trusted
`application that authorizes specific network sessions, as suggested by Cosset al.
`
`and processing data directed toward the public network from the one of the users'
`computers according to the individualized rule set.
`
`Radia et aL disclose processing data directed
`toward the public network from the one of the user
`computers ( one of PCs 102) according to the
`individualized rule set.
`
`For instance, Radia et al. disclose:
`
`"Subsequently, the packet filter established by the ANCS 112 is used to filter IP packets that
`originating from the client system 102 acting as a host for the user, allowing the packets that are
`associated with the network privileges of the user." [10: 11-14,emphasis added]
`
`57. The method of claim 56, further including the step of controlling a plurality of data to
`and from the users' computers as a function of the individualized rule set.
`
`Panasonic-1014
`Page 461 of 1980
`
`

`

`Application/Control Number: 95/002,035 and 90/012,342
`Art Unit: 3992
`
`Page 64
`
`Radia et al disclose that router 106 in FIG. 1 further provides control over a plurality of data
`from the users' computers as a function of the individualized rule set (FIG. 6, step 606, "filter IP
`packets in accordance with filtering profile" and col. 10, lines 6-14).
`
`Radia et al. do not explicitly disclose the step of computers as a function of the individualized
`rule set.
`
`However, Coss et al. disclose firewall 211 further provides control over a plurality of data to and
`from the users' computers as a function of the individualized rule set.
`
`For instance, Coss et al. disclose:
`
`"The latter embodiment can allow the firewall techniques of the invention to provide, for
`example, parental control oflntemet and video access in the home." [2:57-60]
`
`See FIG. 3, rule No. IO controlling FTP data to host B, and rule No. 30 controlling Telnet data
`from host B.
`
`Coss et al. also disclose rule set categories such as "Source host group identifier or IP address",
`"Destination host group identifier or IP address", and "Rule action, e.g., 'pass', 'drop', or 'proxy"'
`[4:39-43] allowing the firewall 211 to control data to and from the users' computers as a function
`of the individualized rule set.
`
`Since each individual element and its function are shown in the prior art, albeit shown in separate
`references, the difference between the claimed subject matter and the prior art rests not on any
`individual element or function but in the very combination itself-that is in the substitution of the
`firewall 211 of Coss for the router I 06 in Fig. 1 of Radia. Thus, the simple substitution of one
`known element (i.e. firewall 211 for the router 106) for another producing a predictable result
`. renders the claim obvious.
`
`58. The method of claim 56, further including the step of blocking the data to and from the
`users' computers as a function of the individualized rule set.
`
`Radia et al disclose that router 106 in FIG. 1 further blocks data from the users' computers as a
`function of the individualized rule set (FIG. 6, step 606, "filter IP packets in acc.ordance with
`filtering profile" and co