Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Interview Summary
The examiner proposed to include claim 4 into all the independent claims and file a e-TD to overcome double patenting rejection but the attorney informed that the client declined to do so for compact prosecution and agreed to receive this NFR.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1 – 20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims Patent No. 10699005 in view of Fainkichen et al (US 8893261), hereafter Fai. 
This is a provisional nonstatutory double patenting rejection.
Instant App. 16879401
Patent #: 10699005
1. A method for controlling access to external networks by an air-gapped endpoint, comprising: providing, on the air-gapped endpoint, a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using a hypervisor; selecting one security zone of the plurality of isolated security zones; and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).
2. The method of claim 1, wherein the selected security zone is a corporate zone, and the designated network location is a cloud VPN server.
3. The method of claim 1, further comprising: allowing the selected one security zone to connect to an external network based on at least one access rule.
4. The method of claim 3, wherein allowing the connection between the security zone and the external network further comprises: exposing a virtual network interface card (NIC) corresponding to a physical NIC, wherein the connection to the external network is through the physical NIC, wherein a MAC address of the virtual NIC is the same as the MAC address of the physical NIC.
5. The method of claim 4, further comprising: monitoring all traffic between the selected security zone and the external network to at least maintain compliance with a security policy set for the respective security zone.
6. The method of claim 3, wherein the at least one access rule determines when the access to the external network is allowed.
7. The method of claim 6, wherein the external network is the Internet.
8. The method of claim 1, further comprising: bridging the selected security zone directly into a network adapter, when the network adapter was verified to be connected to a public network.
9. The method of claim 8, wherein verifying if the network adapter is connected to a public network, further comprises: establishing a connection to an internet web server that is not accessible within the selected security zone; cryptographically verifying an identity of the internet web server.
10. The method of claim 1, wherein the method is performed by a networking virtual machine (VM).
11. A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process for controlling access to external networks by an air-gapped endpoint, the process comprising: providing, on the air-gapped endpoint, a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using a hypervisor; selecting one security zone of the plurality of isolated security zones; and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).
12. An air-gapped computing system, comprising: a network card interface; a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: provide, on the air-gapped endpoint, a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using a hypervisor; select one security zone of the plurality of isolated security zones; and tunnel a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).
13. The air-gapped computing system of claim 12, wherein the selected security zone is a corporate zone, and the designated network location is a cloud VPN server.
14. The air-gapped computing system of claim 12, wherein the system is further configured: allow the selected one security zone to connect to an external network based on at least one access rule.
15. The air-gapped computing system of claim 14, wherein the system is further configured: exposing a virtual network interface card (NIC) corresponding to a physical NIC, wherein the connection to the external network is through the physical NIC, wherein a MAC address of the virtual NIC is the same as the MAC address of the physical NIC.
16. The air-gapped computing system of claim 14, wherein the system is further configured: monitor all traffic between the selected security zone and the external network to at least maintain compliance with a security policy set for the respective security zone.
17. The air-gapped computing system of claim 14, wherein the at least one access rule determines when the access to the external network is allowed.
18. The air-gapped computing system of claim 17, wherein the external network is the Internet.
19. The air-gapped computing system of claim 12, wherein the system is further configured to: bridge the selected security zone directly into a network adapter, when the network adapter was verified to be connected to a public network.
20. The air-gapped computing system of claim 12, wherein the system is further configured to: establish a connection to an internet web server that is not accessible within the selected security zone; and cryptographically verify an identity of the internet web server.
1. A method for controlling access to networks by an air-gapped endpoint, comprising: identifying, by a hypervisor, a type of a network being connected, upon detection of a new network connection to the air-gapped endpoint; determining for each security zone of a plurality of isolated security zones at least one access rule to access the network, wherein the plurality of isolated security zones is operable in a virtual environment instantiated on the air-gapped endpoint, wherein the hypervisor prevents any interfacing of a user device with the primitive OS; initializing, on the air-gapped endpoint, the hypervisor for execution over a primitive operating system (OS) of the air-gapped endpoint in the virtual environment, wherein the primitive OS is configured to execute only device drivers and is restricted from executing any application received over the network; allowing a connection between a security zone and the network based on the at least one access rule; and exposing a virtual network interface card (NIC) corresponding to a physical NIC, wherein the connection to the network is through the physical NIC; managing the connection to the network by a networking virtual machine, wherein the networking virtual machine operates in a non-persistent mode, wherein the networking virtual machine returns to its initial clean state after each boot; and monitoring all traffic between the security zone and the network to at least maintain compliance with a security policy set for the respective security zone.
2. The method of claim 1, wherein identifying the type of the network further comprises: querying a dynamic host configuration protocol (DHCP) server to receive network parameters of the network; determining based on the network parameters if the network is classified as a known network; and in response to determining that the network is classified as the known network, verifying if the network is a legitimate known network.
3. The method of claim 2, wherein verifying if the external network is a known network further comprises: performing a secure socket layer (SSL) verification by verifying an SSL certificate of a known entity in the network.
4. The method of claim 2, wherein the known network is preconfigured in a list of known networks.
5. The method of claim 1, wherein the at least one access rule includes at least one a firewall rule.
6. The method of claim 1, wherein the a MAC address of the virtual NIC is the same as the a MAC address of the physical NIC.
7. The method of claim 1, wherein maintaining compliance with the security policy, further comprises performing any one of: tunneling traffic from the security zone through a virtual private network (VPN); and blocking traffic from the security zone.
8. The method of claim 1, wherein maintaining compliance with the security policy, further comprises: forcing the security zone to communicate with a specific entity in the network by modifying dynamic DHCP requests and replies.
9. The method of claim 1, wherein maintaining compliance with the security policy, further comprises: detecting suspicious activity related to an upload and download of files; and alerting on suspicious activity by rendering a dialog box requesting to approve or deny activity related to the upload and download of files.
10. The method of claim 1, wherein maintaining compliance with the security policy, further comprises: detecting malicious activity executed by the security zone; and quarantining the security zone when malicious activity is detected.
11. The method of claim 10, wherein detecting malicious activity further comprises: detecting malicious activity by setting at least one internal fake network entity; simulating user activity to direct an access to the at least one internal fake network entity; and tracking any access to at least one internal fake network entity that mimics the simulated user activity.
12. The method of claim 1, further comprising: creating the plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using the hypervisor, wherein each of the plurality of security zones includes a plurality of applications executed over a guest OS; and instantiating a networking virtual machine (VM) using the hypervisor.
13. The method of claim 12, wherein the method is performed by the networking virtual machine (VM).
14. The method of claim 12, further comprising: resetting a state of the networking VM upon detection of a new network connection.
15. The method of claim 12, wherein the primitive OS is executed by a hardware layer of the air-gapped endpoint.
16. The method of claim 12, wherein the hypervisor includes an abstraction layer, at least one native hypervisor, an optimization module, and a security module.
17. A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process for controlling access to networks by an air-gapped endpoint, the process comprising: identifying, by a hypervisor, a type of a network being connected, upon detection of a new network connection to the air-gapped endpoint: determining for each security zone of a plurality of isolated security zones at least one access rule to access the network, wherein the plurality of isolated security zones is operable in a virtual environment instantiated on the air-gapped endpoint, wherein the hypervisor prevents any interfacing of a user device with the primitive OS; initializing, on the air-gapped endpoint, the hypervisor for execution over a primitive operating system (OS) of the air-gapped endpoint in the virtual environment, wherein the primitive OS is configured to execute only device drivers and is restricted from executing any application received over the network; allowing a connection between a security zone and the network based on the at least one access rule; exposing a virtual network interface card (NIC) corresponding to a physical NIC, wherein the connection to the network is through the physical NIC; managing the connection to the network by a networking virtual machine, wherein the networking virtual machine operates in a non-persistent mode, wherein the networking virtual machine returns to its initial clean state after each boot; and monitoring all traffic between the security zone and the network to at least maintain compliance with a security policy set for the respective security zone.
18. An air-gapped computing system, comprising: a network card interface; a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: identify, by a hypervisor, a type of an a network being connected, upon detection of a new network connection to the air-gapped endpoint; determine for each security zone of a plurality of isolated security zones at least one access rule to access the network, wherein the plurality of isolated security zones is operable in a virtual environment instantiated on the air-gapped endpoint, wherein the hypervisor prevents any interfacing of a user device with the primitive OS; initialize, on the air-gapped endpoint, the hypervisor for execution over a primitive operating system (OS) of the air-capped endpoint in the virtual environment, wherein the primitive OS is configured to execute only device drivers and is restricted from executing any application received over the network; allow a connection between a security zone and the network based on the at least one access rule; exposing a virtual network interface card (NIC) corresponding to a physical NIC, wherein the connection to the network is through the physical NIC; managing the connection to the network by a networking virtual machine, wherein the networking virtual machine operates in a non-persistent mode, wherein the networking virtual machine returns to its initial clean state after each boot; and monitor all traffic between the security zone and the external network to at least maintain compliance with a security policy set for the respective security zone.

The patent 10699005 is silent on tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).
But analogous art Fai teaches and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN). (C4L10-18: (1) establishing a VPN tunnel using a "VPN client" running as an application on the mobile device's "host" operating system, and (2) associating the VPN tunnel with a host operating system kernel provided network "namespace" that is exclusive to a VM running on the mobile device (C3L62-65) allow a VM running on a host system to connect and receive traffic from/to an enterprise network over a VPN).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Fai to include the idea of VPN tunneling as taught by Fai so that separate namespace allows the guest to enjoy an exclusive and secure connectivity to the enterprise network through the VPN tunnel (C5L41-44).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 3, 6 – 14 and 16 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Banga et al (US 9116733), hereafter Ban and Fainkichen et al (US 8893261), hereafter Fai.
Claim 1: Ban teaches a method for controlling access to external networks by an air-gapped endpoint, comprising: providing, on the air-gapped endpoint, a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using a hypervisor; (C7L6-23: a special virtual machine VM0 is created to be a trusted and secure portion of a computer system… VM0 does not contain any type of networking stack and does not have access to any networking hardware that could allow for communication between VM0 or any applications executed thereby and the internet... a client contains any number of VM0 virtual machines);
selecting one security zone of the plurality of isolated security zones; (C10L1-2: the template used to clone a UCVM selected from templates stored in VM0);
Ban is silent on and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).
But analogous art Fai teaches and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN). (C4L10-18: (1) establishing a VPN tunnel using a "VPN client" running as an application on the mobile device's "host" operating system, and (2) associating the VPN tunnel with a host operating system kernel provided network "namespace" that is exclusive to a VM running on the mobile device (C3L62-65) allow a VM running on a host system to connect and receive traffic from/to an enterprise network over a VPN).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Ban to include the idea of VPN tunneling as taught by Fai so that separate namespace allows the guest to enjoy an exclusive and secure connectivity to the enterprise network through the VPN tunnel (C5L41-44).
Claim 11: Ban teaches a non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process for controlling access to external networks by an air-gapped endpoint, the process comprising (Fig. 2): providing, on the air-gapped endpoint, a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using a hypervisor; selecting one security zone of the plurality of isolated security zones; (C7L6-23: a special virtual machine VM0 is created to be a trusted and secure portion of a computer system… VM0 does not contain any type of networking stack and does not have access to any networking hardware that could allow for communication between VM0 or any applications executed thereby and the internet... a client contains any number of VM0 virtual machines; C10L1-2: the template used to clone a UCVM selected from templates stored in VM0);
Ban is silent on and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).
But analogous art Fai teaches and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN). (C4L10-18: (1) establishing a VPN tunnel using a "VPN client" running as an application on the mobile device's "host" operating system, and (2) associating the VPN tunnel with a host operating system kernel provided network "namespace" that is exclusive to a VM running on the mobile device (C3L62-65) allow a VM running on a host system to connect and receive traffic from/to an enterprise network over a VPN).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Ban to include the idea of VPN tunneling as taught by Fai so that separate namespace allows the guest to enjoy an exclusive and secure connectivity to the enterprise network through the VPN tunnel (C5L41-44).
Claim 12: Ban teaches an air-gapped computing system, comprising: a network card interface; a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to (Fig. 9): provide, on the air-gapped endpoint, a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using a hypervisor; select one security zone of the plurality of isolated security zones; (C7L6-23: a special virtual machine VM0 is created to be a trusted and secure portion of a computer system… VM0 does not contain any type of networking stack and does not have access to any networking hardware that could allow for communication between VM0 or any applications executed thereby and the internet... a client contains any number of VM0 virtual machines; C10L1-2: the template used to clone a UCVM selected from templates stored in VM0);
Ban is silent on and tunnel a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).
But analogous art Fai teaches and tunnel a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN). (C4L10-18: (1) establishing a VPN tunnel using a "VPN client" running as an application on the mobile device's "host" operating system, and (2) associating the VPN tunnel with a host operating system kernel provided network "namespace" that is exclusive to a VM running on the mobile device (C3L62-65) allow a VM running on a host system to connect and receive traffic from/to an enterprise network over a VPN).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Ban to include the idea of VPN tunneling as taught by Fai so that separate namespace allows the guest to enjoy an exclusive and secure connectivity to the enterprise network through the VPN tunnel (C5L41-44).
Claim 2: the combination of Ban and Fai teaches the method of claim 1, wherein the selected security zone is a corporate zone, and the designated network location is a cloud VPN server. (Ban: C4L36-38: an OS in one VM can be dedicated for accessing the corporate network and running corporate applications and (C6L24-26) client include a cloud server).
Claim 3: the combination of Ban and Fai teaches the method of claim 1, further comprising: allowing the selected one security zone to connect to an external network based on at least one access rule. (Ban: C8L1-7: only allow connections with a specific internet system so that the software inside VM0 is updated from a designated update server. The firewall software only allows VM0 to connect to servers associated with the IT administrator of client and can prevent VM0 from establishing a connection with any other endpoint on any network).
Claim 6: the combination of Ban and Fai teaches the method of claim 3, wherein the at least one access rule determines when the access to the external network is allowed. (Ban: C8L51-53: process has the option of selectively displaying which contents are available to the VM based on policies as set forth).
Claim 7: the combination of Ban and Fai teaches the method of claim 6, wherein the external network is the Internet. (Ban: C4L41-42: a different OS in a third VM may be used for general web browsing on the wider Internet).
Claim 8: the combination of Ban and Fai teaches the method of claim 1, further comprising: bridging the selected security zone directly into a network adapter, when the network adapter was verified to be connected to a public network. (Ban: C12L20-41: validated Virtual Machine (VVM) for the purpose of running relatively trusted local applications that have complex interactions between the applications. Such complex interactions are common in enterprise frameworks containing multiple applications… Inside VVM, signed applications can interact with each other using all types of APis and frameworks supported by the OS being used).
Claim 9: the combination of Ban and Fai teaches the method of claim 8, wherein verifying if the network adapter is connected to a public network, further comprises: establishing a connection to an internet web server that is not accessible within the selected security zone; cryptographically verifying an identity of the internet web server. (Ban: C12L41-45: the default network access policy of a VVM is to allow access to a corporate network only. The IT administrator may increase or decrease this level of access, subject to certain restrictions and (C6L45-46) VM0 is not accessible over any network, such as the Internet and (C17L6-11) installation of validated software is performed as is normally performed today except that such corporate validated software are installed in LVM).
Claim 10: the combination of Ban and Fai teaches the method of claim 1, wherein the method is performed by a networking virtual machine (VM). (Ban: C7L64-67: VM0 has a networking stack allowing VM0 to have access to a computer network).
Claim 13: the combination of Ban and Fai teaches the air-gapped computing system of claim 12, wherein the selected security zone is a corporate zone, and the designated network location is a cloud VPN server. (Ban: C4L36-38: an OS in one VM can be dedicated for accessing the corporate network and running corporate applications and (C6L24-26) client include a cloud server).
Claim 14: the combination of Ban and Fai teaches the air-gapped computing system of claim 12, wherein the system is further configured: allow the selected one security zone to connect to an external network based on at least one access rule. (Ban: C8L1-7: only allow connections with a specific internet system so that the software inside VM0 is updated from a designated update server. The firewall software only allows VM0 to connect to servers associated with the IT administrator of client and can prevent VM0 from establishing a connection with any other endpoint on any network).
Claim 16: the combination of Ban and Fai teaches the air-gapped computing system of claim 14, wherein the system is further configured: monitor all traffic between the selected security zone and the external network to at least maintain compliance with a security policy set for the respective security zone. (Ban: C16L5-6: module either creates these templates on demand or create and store them while monitoring the usage of the client).
Claim 17: the combination of Ban and Fai teaches the air-gapped computing system of claim 14, wherein the at least one access rule determines when the access to the external network is allowed. (Ban: C8L51-53: process has the option of selectively displaying which contents are available to the VM based on policies as set forth).
Claim 18: the combination of Ban and Fai teaches the air-gapped computing system of claim 17, wherein the external network is the Internet. (Ban: C4L41-42: a different OS in a third VM may be used for general web browsing on the wider Internet).
Claim 19: the combination of Ban and Fai teaches the air-gapped computing system of claim 12, wherein the system is further configured to: bridge the selected security zone directly into a network adapter, when the network adapter was verified to be connected to a public network. (Ban: C12L20-41: validated Virtual Machine (VVM) for the purpose of running relatively trusted local applications that have complex interactions between the applications. Such complex interactions are common in enterprise frameworks containing multiple applications… Inside VVM, signed applications can interact with each other using all types of APis and frameworks supported by the OS being used).
Claim 20: the combination of Ban and Fai teaches the air-gapped computing system of claim 12, wherein the system is further configured to: establish a connection to an internet web server that is not accessible within the selected security zone; and cryptographically verify an identity of the internet web server. (Ban: C12L41-45: the default network access policy of a VVM is to allow access to a corporate network only. The IT administrator may increase or decrease this level of access, subject to certain restrictions and (C6L45-46) VM0 is not accessible over any network, such as the Internet and (C17L6-11) installation of validated software is performed as is normally performed today except that such corporate validated software are installed in LVM).
Claims 4, 5 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ban and Fai as applied to claims above, and further in view of Thomsen (US 6745333), hereafter Thom.
Claim 4: the combination of Ban and Fai teaches the method of claim 3, but is silent on wherein allowing the connection between the security zone and the external network further comprises: exposing a virtual network interface card (NIC) corresponding to a physical NIC, wherein the connection to the external network is through the physical NIC, wherein a MAC address of the virtual NIC is the same as the MAC address of the physical NIC.
But analogous art Thom teaches wherein allowing the connection between the security zone and the external network further comprises: exposing a virtual network interface card (NIC) corresponding to a physical NIC, wherein the connection to the external network is through the physical NIC, wherein a MAC address of the virtual NIC is the same as the MAC address of the physical NIC. (C4L4-10: the driver software controlling that NIC to override this burned in MAC Address by instructing the NIC to adopt a different MAC Address for use, similar or even identical in configuration to the burned in MAC Address and (C5L46-47) a NIC is connected to a network whereon TCP/IP networking is being used).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Ban and Fai to include the idea of addresses of physical and virtual NIC are same as taught by Fai so that separate namespace allows the guest to enjoy an exclusive and secure connectivity to the enterprise network through the VPN tunnel (C5L41-44).
Claim 5: the combination of Ban and Fai teaches the method of claim 4, further comprising: monitoring all traffic between the selected security zone and the external network to at least maintain compliance with a security policy set for the respective security zone. (Ban: C16L5-6: module either creates these templates on demand or create and store them while monitoring the usage of the client).
Claim 15: the combination of Ban and Fai teaches the air-gapped computing system of claim 14, wherein the system is further configured: exposing a virtual network interface card (NIC) corresponding to a physical NIC, wherein the connection to the external network is through the physical NIC, wherein a MAC address of the virtual NIC is the same as the MAC address of the physical NIC.
But analogous art Thom teaches air-gapped computing system of claim 14, wherein the system is further configured: exposing a virtual network interface card (NIC) corresponding to a physical NIC, wherein the connection to the external network is through the physical NIC, wherein a MAC address of the virtual NIC is the same as the MAC address of the physical NIC. (C4L4-10: the driver software controlling that NIC to override this burned in MAC Address by instructing the NIC to adopt a different MAC Address for use, similar or even identical in configuration to the burned in MAC Address and (C5L46-47) a NIC is connected to a network whereon TCP/IP networking is being used).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Ban and Fai to include the idea of addresses of physical and virtual NIC are same as taught by Fai so that separate namespace allows the guest to enjoy an exclusive and secure connectivity to the enterprise network through the VPN tunnel (C5L41-44).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /Examiner, Art Unit 2496.