DETAILED ACTION

Currently pending claims are 1 – 23.

Claim Objection
Claim 16 is objected to because of the following informalities (and Examiner respectfully request to correct as follows): “at least one processor” should be replaced with “at least one hardware processor (or processor device)” – Examiner notes this is because a computer processor could be a software processor (e.g. a Microsoft WORD processor).  Appropriate correction(s) is (are) required.  // “A computer processor” may include the “software processor” (e.g. a word processor) //
Claim 17 is objected with a same rationale as that of claim 16.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 16 and 17 are rejected under 35 U.S.C. 112(b)  or pre-AIA  35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112), regards as the invention because the claims are recited as either a computer program product claim or a non-transitory computer readable medium claim while the base (parent) claim is directed to a method claim – Examiner notes such a inconsistency creates unncessary ambiguity (i.e. in lack of clarity) within the respective claim scopes and appropriate corrections are required.   

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 8 – 15 and 22 – 23 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Toepke et al. (U.S. Patent 2018/0027071). 

As per claim 15 (& claim 8), Toepke teaches an access control device, comrising: 
at least one storage, to store computer readable codes (Toepke: Figure 10 & Figure 1) , and 
at least one processor, configure to invoke the computer readable codes to execute (Toepke: Figure 10 & Figure 1): 
determining via the access control device (Toepke: Figure 2 / E-240 & Para [0066] – Para [0074]: a plant DMZ (intermediate) device to bridge different networks constitutes an access control device), connected between a system and a computer to remotely access the system, remotely accessible resources in the system (Toepke: Figure 2 / E-240 & Para [0074] / [0071] / [0072] / [0078]: (a) based on the network port re-direction, faciliated by the plant DMZ (intermediate) device (i.e. the access control device), to retain network isolation (protection) to gain secure access to other (cloud) netwoks (Para [0074] / [0078]) via a firewall as part of the plant DMZ (intermediate) device (Para [0071] / [0078]));
determining, via the access control device, the resources remotely accessible by the computer, among the remotely accessible resources in the system, according to remote access control policies (Toepke: see above & Para [0120] and Para [0074] / [0071] / [0072] / [0078]: determining whether a user computing device has access to a remote resource w.r.t. the types of the authorized operations); and 
providing for the computer, via the access control device, -62-New Patent Application Docket No. 32860-003037-USinformation about the resources remotely accessible by the computer, to permit the resources to be remotely accessible by the computer (Toepke: see above).  

As per claim 9, Toepke teaches providing, via the access control mechanism, a manager of the system with the information about the remotely accessible resources in the system determined; receiving a configuration command from the manager of the system; configuring the remote access control policies for the remotely accessible resources in the system, the configuring including either configuring remote access control policies for the remotely accessible resources in the system according to the received configuration command, or configuring, via the access control device, remote access control policies for the remotely accessible resources in the system, according to configuration rules (Toepke: see above & Para [0120] and Para [0073] / [0074] / [0014]: (e.g.) an additional I/O port provided with network configuration functions that can receive inputs (commands) from the user (administrator) based on the access control service rules constitutes the third network port).

As per claim 10 – 11 and 22 – 23, Toepke teaches to determine the remotely accessible resources in the system, and the method further comprises: receiving, via the access control device, industrial protocol messages transferred in the system; and obtaining the information about the remotely accessible resources in the system from the industrial protocol messages received according to different industrial protocols (Toepke: see above & Para [0013] / [0014] / [0024]: configured to receive messges associated with various communication protocols w.r.t. a uique (particular) communication link – i.e. with protocol independence).

As per claim 13, Toepke as modified teaches wherein the bastion host is configured to realize at least one of: performing user authentication for the computer, and providing a remote desktop for the remote access from the computer to the system (Toepke: see above, Figure 10 / E-96 & Para [0120]: including an authentication / authorization module to determine whether a user computing device has access to a remote resource w.r.t. the types of the authorized operations). 

As per claim 14, Toepke teaches providing an auditing module, respectively connected with the front-end firewall, the back-end firewall and the bastion host, and configure to audit at least one of a security log of the front-end or back-end firewall or bastion host, at least one of NetFlow and network traffic between the front- end firewall and the bastion host, and at least one of NetFlow and network traffic between the bastion host and the back-end firewall (Toepke: see above, Figure 14A & Para [0050] / [0072]: managing security log data such as monitoring accss type permissions (R, R/W and etc.) and/or network incoming and outgoing traffic to implement security features to make communication secured).  

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



Claims 1 – 7 and 18 – 21 are rejected under 35 U.S.C.103 as being unpatentable over Toepke et al. (U.S. Patent 2018/0027071), in view of Albrecht et al. (DE 1020-0902-2977).  

As per claim 1, Toepke teaches an access control device, to provide a secure access control mechanism for a system upon the system being remotely accessed, the access control device (Toepke: Figure 2 / E-240 & Para [0066] – Para [0074]: a plant DMZ (intermediate) device to bridge different networks constitutes an access control device) comprising: 
a front-end firewall being configured to provide a first network port, the first network port being configured to connect a computer to remotely access the system (Toepke: Figure 2 / E-240 & Para [0074] / [0071] / [0072] and Para [0078]: (a) the plant DMZ (intermediate) device (i.e. the access control device) utilized network port re-direction which retains network isolation (protection) to gain secure access to other (cloud) netwoks (Para [0074] / [0078]) via a firewall as part of the plant DMZ (intermediate) device (Para [0071] / [0078])); 
a bastion host connected with the front-end firewall (Toepke: see above: the core (control) processing device of the plant DMZ (intermediate) device constitutes a bastion host); and 
a back-end firewall, connected with the bastion host, to provide a second network port, the second network port being configured to connect the system, the back-end firewall being configured to determine, through the second network port, remotely accessible resources in the system (Toepke: Figure 2 / E-240 & Para [0074] / [0071] / [0072] / [0078]: providing a secure access to other (cloud) netwoks (Para [0074] / [0078]) through a port-redirection via a firewall as part of the plant DMZ (intermediate) device to access the remote resource (Para [0071] / [0078])).
However, Toepke does not disclose expressly the secure firewalls operated in a DMZ network include a back-end firewall and a front-end firewall.
Albrecht (& Toepke) teaches the secure firewalls operated in a DMZ network include a back-end firewall and a front-end firewall (Albrecht: Figure 1 / E-7 & E-8 and Page 4 / Last Para and Page 9 / 2nd Para & 5th Para: a common bridging network (DMZ) is implemented with a combination of a back-end firewall and a front-end firewall to securely connect to different network).   
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of the providing secure firewalls operated in a DMZ network include a back-end firewall and a front-end firewall because Albrecht teaches to effectively and securely operate a common bridging network (DMZ) with an implementation of a back-end firewall and a front-end firewall to securely connect to different network (see above) within the Toepke’s system of providing a secure access to other (cloud) netwoks through a port-redirection via a firewall as part of the plant DMZ (intermediate) device to access the remote resource (see above). 
and to determine resources remotely accessible by the computer, among the remotely accessible resources in the system, according to remote access control policies (Toepke: see above & Para [0120]: determining whether a user computing device has access to a remote resource w.r.t. the types of the authorized operations)) || (Albrecht: see above & Page 10 / 1st Para: the respective firewall(s) recognizes on the basis of the engaged network address to determine which type of servers / services (applications) (e.g. E-mail server) can be remotely accessed via the directory service rules), and 
the bastion host being configured to provide the computer with information provided by the back-end firewall about the resources remotely accessible by the computer through the first network port of the front-end firewall, to permit the resources to be remotely accessible by the computer (Toepke: see above) || (Albrecht: see above).  

As per claim 2, Toepke as modified teaches wherein the access control device further comprises a management module connected with the back-end firewall, wherein the management module provides a third network port, the third network port being configured to interact with the manager of the system, the management module being configured to either provide the manager of the system with information about the remotely accessible resources in the system through the third network port, receive a configuration command from the manager of the system through the third network port, the configuration command being usable to configure remote access control policies for the remotely accessible resources in the system, and configure remote access control policies for the remotely accessible resources in the system according to the received configuration command, or the management module being usable to configure remote access control policies for the remotely accessible resources in the system according to preset configuration rules (Albrecht: see above) || (Toepke: see above & Para [0120] and Para [0073] / [0074] / [0014]: (e.g.) an additional I/O port provided with network configuration functions that can receive inputs (commands) from the user (administrator) based on the access control service rules constitutes the third network port).

As per claim 3 – 4 and 18, Toepke as modified teaches wherein the system is an operational technology system and the back-end firewall is configured to receive industrial protocol messages transferred in the system through the second network port and obtain the information about the remotely accessible resources in the system from the received industrial protocol messages according to different industrial protocols (Albrecht: see above) || (Toepke: see above & Para [0013] / [0014] / [0024]: configured to receive messges associated with various communication protocols w.r.t. a uique (particular) communication link – i.e. with protocol independence).

As per claim 5, Toepke as modified teaches wherein the front-end firewall is configured to at least one of: allow only the computer, including at least one of a specific IP address and a specific port, to access the system, and provide a secure connection between the access control device and the computer through the first network port (Toepke: see above & Para [0120]: determining whether a user computing device has access to a remote resource w.r.t. the types of the authorized operations)) || (Albrecht: see above & Page 10 / 1st Para: the respective firewall(s) recognizes on the basis of the engaged network address (e.g. IP address / port) to determine which type of servers / services (applications) (e.g. E-mail server) can be remotely accessed via the directory service rules).

As per claim 6 and 21, Toepke as modified teaches wherein the bastion host is configured to realize at least one of: performing user authentication for the computer, and providing a remote desktop for the remote access from the computer to the system (Toepke: see above, Figure 10 / E-96 & Para [0120]: including an authentication / authorization module to determine whether a user computing device has access to a remote resource w.r.t. the types of the authorized operations)) || (Albrecht: see above). 

As per claim 7, Toepke as modified teaches providing an auditing module, respectively connected with the front-end firewall, the back-end firewall and the bastion host, and configure to audit at least one of a security log of the front-end or back-end firewall or bastion host, at least one of NetFlow and network traffic between the front- end firewall and the bastion host, and at least one of NetFlow and network traffic between the bastion host and the back-end firewall (Toepke: see above, Figure 14A & Para [0050] / [0072]: managing security log data such as monitoring accss type permissions (R, R/W and etc.) and/or network incoming and outgoing traffic to implement security features to make communication secured).  

As per claim 12, Albrecht (& Toepke) teaches wherein allowing, via the access control mechanism, the computer only including at least one of a specific IP address and a specific port to access the system, and providing, via the access control device, a secure connection between the access control device and the computer (Toepke: see above & Para [0120]: determining whether a user computing device has access to a remote resource w.r.t. the types of the authorized operations)) || (Albrecht: see above & Page 10 / 1st Para: the respective firewall(s) recognizes on the basis of the engaged network address (e.g. IP address / port) to determine which type of servers / services (applications) (e.g. E-mail server) can be remotely accessed via the directory service rules).  See the same rationale of combination applied herein as above in rejecting the claim 1.

As per claim 19, Toepke as modified teaches wherein the back-end firewall is further configured to send detection messages of different industrial protocols to the system through the second network port, and upon receiving the industrial protocol messages transferred in the system, the back-end firewall is configured to receive -63-New Patent ApplicationDocket No. 32860-003037-US messages, sent by the system in response to the detection messages sent by the back-end firewall (Toepke: see above Figure 2 / E-240 & Para [0013] / [0014] / [0024] and Para [0074] / [0071] / [0072] / [0078]: (a) configuring to receive messges associated with various communication protocols w.r.t. a uique (particular) communication link – i.e. with protocol independence and (b) providing a secure access to other (cloud) netwoks (Para [0074] / [0078]) through a port-redirection via a firewall as part of the plant DMZ (intermediate) device to access the remote resource (Para [0071] / [0078])).

As per claim 20, Toepke as modified teaches wherein the front-end firewall is configured to at least one of: allow only the computer, including at least one of a specific IP address and a specific port, to access the system, and provide a secure connection between the access control device and the computer through the first network port (Toepke: see above, Figure 10 / E-96 & Para [0120]: including an authentication / authorization module to determine whether a user computing device has access to a remote resource w.r.t. the types of the authorized operations)) || (Albrecht: see above & Page 10 / 1st Para: the respective firewall(s) recognizes on the basis of the engaged network address (e.g. IP address / port) to determine which type of servers / services (applications) (e.g. E-mail server) can be remotely accessed via the directory service 
rules)



Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788.  The examiner can normally be reached on Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2294 – 2021
---------------------------------------------------