DETAILED ACTION


Currently pending claims are 1 – 20.

Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claim 1 is rejected under 35 U.S.C. 112(b)  or pre-AIA  35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112), regards as the invention because the claim is recited as a system claim while the respective claim elements within the claim body are directed to a method claim – Examiner notes such a inconsistency creates unncessary ambiguity (i.e. in lack of clarity) within the respective claim scope and appropriate corrections are required.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


Claim Rejections - 35 USC § 102

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 5 – 8, 11 – 15, 18 and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Nagaratnam et al. (U.S. Patent 2017/0041347).  

As per claim 1 & 15, Nagaratnam teaches for a network management and control system that manages one or more logical networks, a method comprising: 
from a first user, receiving a definition of one or more security zones for a logical network, each security zone definition comprising a set of security rules for data compute nodes (DCNs) assigned to the security zone (Nagaratnam: Figure 8 & Para [0077], Para [0085] and Para [0100]: (a) Based on a template-based configuration mechanism provided in a cloud-based environment, an assurance configuration broker (i.e. a 1st user) receives security assurance template(s) from a cloud security assurance service entity (FIG. 8 / E-602 & E-604: RX), wherein (b) the template(s) are modules specifiy security profiles (or a set of security settings) w.r.t. security resources including, at least, associated networking devices (i.e. data compute nodes (DCNs)) (Para [0085] / [0077]) as well as the security levels (e.g. High/Medium/Low) associated with various security zones such as DMZ zone(s), internal network security zone(s), firewall security zone(s), different cloud zone(s) and etc., and accordingly (c) the assurance configuration broker can then further configure the security requirement(s) in-detail based on the received security assurance template(s) / profile(s) and subsequntly changes / upgrades the security configurations as needed); 
from a second user, receiving a definition of an application to be deployed in the logical network, the application definition specifying a set of requirements (Nagaratnam: see above & Para [0087] / [0075]: (a) a cloud provider or an application developer constitutes a 2nd user, wherein (b) the cloud provide obtaining and forwarding a set of prerequisites of security requirements prescribed by the depolyed cloud application(s) from the developer to a cloud security assurance service entity to further configure the security requirement with more detail levels); and
based on the specified set of requirements, assigning DCNs implementing the application to one or more of the security zones for the logical network (Nagaratnam: see above & Para [0090] Line 5 – 8, Para [0085] / [0077], Para [0097], Para [0011] Line 1 – 10 and Para [0100]: the cloud security assurance service is responsible to manage the deployed cloud applications based on the security templates and detail configuration setting that include the associated networking devices (i.e. data compute nodes (DCNs)) (Para [0085] / [0077]) as well as the security zones, and etc., applicable to the target applications).  

As per claim 5 – 6 & 18, Nagaratnam teaches wherein the logical network spans at least two virtual clouds, wherein DCNs in a first virtual cloud are not allowed to communicate with DCNs in a second virtual cloud until the DCNs are assigned to particular security zones (Nagaratnam: see above & Para [0100]).  

As per claim 7, Nagaratnam teaches wherein the first DCN belongs to a particular tier of the application and the second DCN does not belong to any application (Nagaratnam: see above & Para [0142] / [0087] / [0100]: in a cloud-based environment, based on the prescribed security requirements of a security template associated with deployed application(s), the application deployments can be implemented in conjunction with an appropriate application security zone that comprises a set of security resources including networking device(s) (DCNs) as a resource pool of avaliable devices).  

As per claim 8, Nagaratnam teaches wherein the definition of the application comprises at least two application tiers (Nagaratnam: see above & Para [0142] / [0087] / [0100]: the application deployments can be implemented in conjuction with different n-tier (site) (at least two application tiers) of applications so as to map into various server-side architecture ((e.g.) different cloud zone(s)). 

As per claim 11 & 20, Nagaratnam teaches wherein the sets of security rules defining the security zones are implemented through firewall rules applied by network elements managed by the network management and control system (Nagaratnam: see above & Para [0077]: implemented via high/medium/low firewall security requirements (rules)).  

As per claim 12, Nagaratnam teaches wherein the first user manages networking and security configurations for at least a portion of the logical network (Nagaratnam: Figure 8 & Para [0077], Para [0085] and Para [0100]: (a) an assurance configuration broker (i.e. a 1st user) receives security assurance template(s) from a cloud security assurance service entity (FIG. 8 / E-602 & E-604: RX), wherein (b) the template(s) are modules specifiy security profiles (or a set of security settings) w.r.t. security resources including, at least, associated networking devices (i.e. data compute nodes (DCNs)) (Para [0085] / [0077]) as well as the security levels (e.g. High/Medium/Low) associated with various security zones such as DMZ zone(s), internal network security zone(s), firewall security zone(s), different cloud zone(s) and etc., and accordingly (c) the assurance configuration broker can then further configure the security requirement(s) in-detail based on the received security assurance template(s) / profile(s) and subsequntly changes / upgrades the security configurations as needed), and 
the second user is an application developer user that is not granted access to the networking and security configurations for the logical network (Nagaratnam: see above & Para [0087] / [0075]: (a) a cloud provider or an application developer constitutes a 2nd user, wherein (b) the cloud provide obtaining and forwarding a set of prerequisites of security requirements prescribed by the depolyed cloud application(s) from the developer to a cloud security assurance service entity to further configure the security requirement with more detail levels).  

As per claim(s) 13, the claims contain(s) similar limitations to claim(s) 1 & above and thus is/are rejected with the same rationale.

As per claim 14, Nagaratnam teaches wherein: the first user is a tenant user that manages the logical network (Nagaratnam: Figure 8 & Para [0077], Para [0085] and Para [0100]: an assurance configuration broker (as a 1st user) is a tenant user that manages the logical network (see above)); 
the third user is a provider user that defines the tenant first user and a plurality of additional tenant users with the network management and control system (Nagaratnam: see above & Para [0090] Line 5 – 8, Para [0085] / [0077], Para [0097], Para [0011] Line 1 – 10 and Para [0100]: a cloud security assurance service (as a 3rd user) is responsible to manage the deployed cloud applications based on the security templates that provides to the defined 1st user); and 
the second set of security zones is defined for a plurality of logical networks managed by the tenant first user and the plurality of additional tenant users (see above).  

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 2 – 4, 9 – 10, 16 – 17 & 19 are rejected under 35 U.S.C.103 as being unpatentable over Nagaratnam et al. (U.S. Patent 2017/0041347), in view of Martinez et al. (U.S. Patent 2012/0185913).  

As per claim 2 – 4, 9 – 10, 16 – 17 & 19, Martinez (& Nagaratnam) teaches:
a second security zone does not allow connections between DCNs in the second security zone and endpoints outside of the logical network (Martinez: Para [0023] / [0095]: (a) a more restricted 2nd security zone(s) can be defined based on a geographic area ((e.g.) USA) such that does not allow connections between the networking devices (i.e. DCNs) in the 2nd security zone and endpoints outside of a particular logical network) (Martinez: Para [0023]) such as (b) those database appilcation devices are tagged to operate via highly secured (restricted) security zones (Martinez: Para [0095])).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of allowing (or disallowing)  connections between DCNs in the first security zone and endpoints outside of the logical network because Martinez teaches to alternatively, effectively and securely provide a restricted security zone that does not allow connections between the networking devices (i.e. DCNs) in the 2nd security zone and endpoints outside of a particular logical network (see above) within the Nagaratnam’s system of to managing the deployed cloud applications based on the security templates and detail configuration setting that include the associated networking devices as well as the security zones applicable to the target applications, wherein various security levels (e.g. High/Medium/Low) can be associated with different types of security zones such as DMZ zone(s), internal network security zone(s), firewall security zone(s), different cloud zone(s) and etc.) (see above). 
a first security zone comprises rules that allow connections between DCNs in the first security zone and endpoints outside of the logical network (Martinez: Para [0095]: allowing connections between the networking devices (i.e. DCNs) in a 1st less security zone and endpoints via a public internet connection (i.e. outside of a particular logical network) || (Nagaratnam: Para [0039] Line 4 – 9 and Para [0100]: (a) internet-enabled (mobile) computing devices associated with web-based portal applications are allowed to communicate via a public internet and besides, (b) different cloud zones (with different cloud service providers) are associated with different deployed applications based upon different templates of secuiry requirements).  

As per claim(s) 9 – 10, the claims contain(s) similar limitations to claim(s) 1 & 2 – 4 and thus is/are rejected with the same rationale.



Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.


If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2341 – 2022
---------------------------------------------------