DETAILED ACTION

The present application is being examined under the pre-AIA  first to invent provisions. 

General Remarks
-Claims 1, 8 and 15 are independent
-Claims 1, 3-8, 10-15, and 17-20 are pending
-Claims 2, 9, and 16 are cancelled
-Previous IDS has been considered
-112 rejection is withdrawn

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/14/2022 has been entered. 

Response to Arguments
Applicant's arguments filed 09/28/2022 have been fully considered but they are not persuasive.
-Applicant argued that “TrustSec does not qualify as prior art because the version of TrustSec relied upon by the examiner is dated July 30, 2021, which is after the earliest priority date of October 21, 2019 for the present application”.
	Applicant further argued that “Below is a screenshot of the first page of the document posted on PAIR. As can be seen, a date of June 19, 2010 is associated with a Google search result for “Cisco Trustsec Configuration parameter…However, 

    PNG
    media_image1.png
    410
    1190
    media_image1.png
    Greyscale

the second page of the same document posted to PAIR,

    PNG
    media_image2.png
    766
    1824
    media_image2.png
    Greyscale

 indicates the date of July 30, 2021 for the portions of TrustSec that the examiner has relied upon”.

Examiner respectfully disagrees:
The document is a prior art. To avoid the above misunderstanding, in this office action, I used identical document with similar content with an explicit prior date that clearly indicates the document is a prior art. I performed similar search indicated below. TrustSec document belongs to the Assignee and was taken from assignee`s website. I used the following date filter as indicated below to find the document:

    PNG
    media_image3.png
    442
    1478
    media_image3.png
    Greyscale

	As indicated above,  the public availability date of the document is 2010. The link that enables for getting the above search result is indicated below:
https://www.google.com/search?q=cisco+trustsec+configuration+guide&rlz=1C1GCEB_enUS917US917&source=lnt&tbs=cdr%3A1%2Ccd_min%3A%2Ccd_max%3A06%2F19%2F2010&tbm=
If we open the document shaded above that is indicated in the search result of the above link, the first page of the prior art document found is indicated below:

    PNG
    media_image4.png
    561
    1728
    media_image4.png
    Greyscale

Where It says updated: December 3, 2018. However, the document is found with a year filter in 2010 and is available to the public in 2010.  The prior art used in the office action was similarly found and used as indicated by the date information. The document belongs to the Assignee and was taken from the Assignee website. According to the year 2010 indicated in the office action, Trustsec is a prior art. Therefore, to avoid the above confusion, in this office action, I used identical document with similar content with an explicit prior date.
With regard to the prior arts used, the prior arts disclose topology independent access control. 
-Non-relied up on prior art, Voit (US pg. no. 20180139240) discloses SGACL based access control. It discloses in [0029] by assigning users and devices within the network to security groups and applying access control between the security groups (SG ACLs), a role-based topology-independent access control may be achieved within the network. Because SGACLs define access control policies based on device identities instead of IP addresses as in traditional ACLs, network devices are free to move throughout the network and change IP addresses. As long as the roles and the permissions remain the same, changes to the network topology do not change the security policy.
-Non-relied up on prior art, Wong (US pg. no. 20140208388) discloses SGACL based access control (topology independent). Wong in fig. 2 discloses security group based access control policy where it is referred to enforce topology independent access control. The access control is based on identity and location information of user or device instead of network address information.
-Pillay-Esnault discloses identity and metadata based access control. It in [0053] discloses that the firewall policy may be an identity based firewall policy  (not network address (topology dependent) based) indicating that data packets from entities having certain identities should be dropped before being received by the receiving host entity 150. In an embodiment, the firewall policy may be a metadata based (not network address based) policy indicating that data packets from entities associated with certain metadata should be dropped before being received by the receiving host entity 150. 
-Trustsec discloses SGACL based (topology independent access control). Trustsec in  SGACL Policies discloses By assigning users and devices within the network to security groups and applying access control between the security groups, Cisco TrustSec achieves role-based topology-independent access control within the network. Because SGACLs define access control policies based on device identities instead of IP addresses as in traditional ACLs, network devices are free to move throughout the network and change IP addresses. As long as the roles and the permissions remain the same, changes to the network topology do not change the security policy. When a user is added to the switch, you simply assign the user to an appropriate security group and the user immediately receives the permissions of that group.
-Ahmed discloses applying security group bases security access control (policy). Ahmed in [0030] discloses “CNC 32 (client) may configure a security policy for a security group having a security tag of “web,” and may push the security policy to virtual firewall 38 (network element that corresponds to firewall receiving service instruction) to apply the security policy to VMs associated with the “web” security tag. By applying security policies to security groups instead of individual network addresses (topology agnostic), virtual firewall 38 may dynamically apply the security policies to a group of virtual machines regardless if the virtual machines change locations”.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 4-8, 11-15, and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pillay-Esnault (US pg. no. 20180343236), further in view of Trustsec “Cisco TrustSec Switch Configuration Guide”, further in view of Ahmed (US pg. no. 20200274852).
	Regarding claim 1. Pillay-Esnault discloses a computer-implemented method comprising:
	 receiving data from a first edge node (fig. 1, 160) of a network fabric at the network element (fig. 1, 123 firewall), the data have been redirected to the network element according to the service instructions ( [0058] discloses  The Tx 225 of the sending host entity 160 (edge node 1)  may transmit data packets to firewalls 123 (network element). In light of the disclosure of the instant application indicated in figure 6, the communication of data from edge node 1 to firewall that is indicated by line3 and from firewall to edge node 2 indicated by line 6 to enable the devices communicate through the firewall instead of direct link between the devices that corresponds to the data have been redirected. The direct connection between devices corresponds to direct data path. Similarly, Pillay-Esnault discloses connection of the two devices, node 150 and 160,  indirectly through the firewall 123 that corresponds to out of a data path of the data; [0053] discloses the firewall policy may be an identity based firewall policy indicating that data packets from entities having certain identities should be dropped before being received by the receiving host entity 150… The distributed mapping system 130 may send the firewall policies to one or more associated firewalls 123. A firewall device 123 positioned closer to the sending host entity 160 may be configured to perform firewalling according to firewall policies (service instruction));
	processing the data received from the first edge node at the network element according to the service instructions regarding the network function ([0060] discloses The firewall module 260 of the firewall device 123 may be configured to determine whether to pass or drop data packets destined for the receiving host entity 150 based on the firewall policies 290  (service instructions) of the receiving host entity 150. For example, the firewall module 260 may block locator requests from being passed to the distributed mapping system 130 when a firewall policy 290 indicates that the sending host entity 160 is not permitted to communicate with the receiving host entity 150 identified by the locator request.), 
	providing the processed data from the network element to a second edge node  (fig. 1, 150)  of the network fabric based on the service instructions ([0060] discloses The firewall module 260 of the firewall device 123 may be configured to determine whether to pass or drop data packets destined for the receiving host entity 150 based on the firewall policies 290 of the receiving host entity 150. … The Tx 225 of the firewall device 123 may forward the data packet (processed data) to the receiving host entity 150 (second edge node) when the firewall policy 290 of the receiving host entity permits receiving packets from a sending host entity 160).
	But, Pillay-Esnault does not explicitly disclose: 
	wherein the service instructions include instructions for implementing topology agnostic security functions to data received from the first edge node;
	However, in the same field of endeavor Trustsec discloses wherein the service instructions include instructions for implementing topology agnostic security functions to data received from the first edge node (SGACL Policies, discloses by assigning users and devices within the network to security groups and applying access control between the security groups (service instruction policy), Cisco TrustSec achieves role-based topology-independent access control within the network. Because SGACLs define access control policies based on device identities instead of IP addresses as in traditional ACLs, network devices are free to move throughout the network and change IP addresses. As long as the roles and the permissions remain the same, changes to the network topology do not change the security policy. When a user is added to the device, you simply assign the user to an appropriate security group and the user immediately receives the permissions of that group; fig. 1-4 discloses the host is not directly linked with Cisco TrustSec egress device that receives SGT tag about the host; Figure 1-3 shows an example of a Cisco TrustSec permissions matrix for a simple domain with three defined user roles and one defined destination resource (instructions for implementing topology agnostic security). Three SGACL policies control access to the destination server based on the role of the user); 
	Therefore, it would have been obvious to a person having ordinary skill in the art ate the time of the invention was effectively filed to combine the teaching of Pillay-Esnault with Trustesec. The modification would allow topology intendent security where devices security would not be limited by the devices address identifier or location as a result enabling effective security system.
	But, the combination does not explicitly disclose: receiving service instructions from a client regarding a network function at a network element, the service instructions including a table of network policies and rules; 
	However, in the same field of endeavor, Ahmed discloses receiving service instructions from a client regarding a network function at a network element, the service instructions including a table of network policies and rules ([0030] discloses CNC 32 (client) may configure a security policy for a security group having a security tag of “web,” and may push the security policy to virtual firewall 38 (network element that corresponds to firewall receiving service instruction) to apply the security policy to VMs associated with the “web” security tag. By applying security policies to security groups instead of individual network addresses (topology agnostic), virtual firewall 38 may dynamically apply the security policies to a group of virtual machines regardless if the virtual machines change locations; [0038] discloses Security management system 34 may push the one or more configured security policies (service instruction) to perimeter firewall (network element) 35 such that perimeter firewall 35 may apply the security policies at the perimeter level of data center 10. That is, perimeter firewall 35 may apply the security policies for the cluster of VMs originally identified in the security group information; [0039] discloses by obtaining security group information configured for a virtual firewall and configuring the perimeter firewall based on security group information, the network security for the virtual network is bridged with the network security for the physical network. Moreover, by implementing the techniques described herein, a perimeter firewall may dynamically apply security policies for a security group regardless of whether the virtual machines have changed location; [0045] discloses in response configuring the one or more security policies, firewall configuration module 57 may direct policy deployment engine 56 to deploy the configured one or more security policies to perimeter firewall 35);
Therefore, it would have been obvious to a person having ordinary skill in the art at the time of the invention was effectively filed to combine the teaching of the combination with Ahmed. The modification would allow a system to flexibly configure firewall using security group information policies to enable topology agnostic access control system to ensure security of services independent of topology of the device.
		Regarding claim 4.    The combination discloses computer-implemented method of claim 1.
Trustsec discloses, wherein the network element is at least one of a fabric border node of the network fabric or a firewall (fig.1- 4 discloses Trustsec egress firewall).
		Regarding claim 5.    The combination discloses computer-implemented method of claim 1.
		Ahmed discloses, further comprising providing instructions to routers of the network fabric based on the service instructions regarding the network function (fig. 3 discloses inbound traffic enters firewall 300; policy engine process access control and the data is forwarded to outbound traffic. The routers subsequent to the firewall corresponds to router receiving firewall instruction to direct data to destination).
Regarding claim 6.    The combination discloses computer-implemented method of claim 1.
Trustsec discloses, further comprising providing the data from the first edge node of the network fabric to a firewall designated in the service instructions (fig. 1-4 discloses the Trustsec ingress firewall sends data to Trustsec egress firewall).
		Regarding claim 7.    The combination discloses computer-implemented method of claim 6.
		Trustsec discloses, wherein the firewall applies security functions included in the service instructions (Ingress Tagging and Egress Enforcement discloses The Cisco TrustSec egress device enforces the SGACL policy (processing according to service instruction) that applies to source group 3 and destination group 4, the security group number assigned by the authentication server for the web server. If the SGACL allows the packet to be forwarded, the Cisco TrustSec egress switch modifies the packet to remove the SGT and forwards the packet to the web server).
		Regarding claim 8, Trustsec discloses a system comprising:
		 one or more processor (fig. 4 Trustsec ingress node (firewall)); and 
		At least one computer-readable storage medium having stored therein instructions (fig. 4 Trustsec ingress node (firewall)) which, when executed by the one or more processors, cause the system to:
		All other limitations of claim 8 are similar with the limitations of claim 1 above. Claim 8 is rejected on the analysis of claim 1 above.
		Regarding claim 11, the combination discloses the system of claim 8.
		All other limitations of claim 11 are similar with the limitations of claim 4 above. Claim 9 is rejected on the analysis of claim 4 above.
		Regarding claim 12, the combination discloses the system of claim 8.
		All other limitations of claim 12 are similar with the limitations of claim 5 above. Claim 12 is rejected on the analysis of claim 5 above.
		Regarding claim 13, the combination discloses the system of claim 13.
		All other limitations of claim 13 are similar with the limitations of claim 6 above. Claim 13 is rejected on the analysis of claim 6 above.
		Regarding claim 14, the combination discloses the system of claim 8.
		All other limitations of claim 14 are similar with the limitations of claim 7 above. Claim 14is rejected on the analysis of claim 7 above.
Regarding claim 15, the combination discloses a non-transitory computer-readable storage medium comprising:
Trustsec discloses instructions stored on the non-transitory computer-readable storage medium, the instructions, when executed by one or more processors (fig. 1-4 discloses Trustsec ingress node (firewall)), cause the one or more processors to:
All other limitations of claim 15 are similar with the limitations of claim 1 above. Claim 15 is rejected on the analysis of claim 1 above.
		Regarding claim 18, the combination discloses non-transitory computer readable storage medium of claim 15.
		All other limitations of claim 18 are rejected on the analysis of claim 4 above.
		Regarding claim 19, the combination discloses non-transitory computer readable storage medium of claim 15.
		All other limitations of claim 19 are rejected on the analysis of claim 5 above.
		Regarding claim 20, the combination discloses non-transitory computer readable storage medium of claim 15.
Trustsec discloses wherein the instructions, when executed by one or more processors, cause the one or more processors to provide the data from the first edge node of the network fabric to a firewall designated in the service instructions (fig. 1-4 discloses host sends data to Trustsec egress (firewall) through Trustsec ingress), wherein the firewall applies security functions included in the service instructions (Ingress Tagging and Egress Enforcement discloses The Cisco TrustSec egress device enforces the SGACL policy (processing according to service instruction) that applies to source group 3 and destination group 4, the security group number assigned by the authentication server for the web server. If the SGACL allows the packet to be forwarded, the Cisco TrustSec egress switch modifies the packet to remove the SGT and forwards the packet to the web server).
Claim 3, 10 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over The combination of Pillay-Esnault (US pg. no. 20180343236), Trustsec “Cisco TrustSec Switch Configuration Guide”, and Ahmed (US pg. no. 20200274852), further in view of Phillips (US pg. no. 20190173845).
		Regarding claim 3, the combination discloses the computer-implemented method of claim 1.
		But, the combination does not explicitly disclose:
		wherein the table of network policies and rules further includes at least one of ingress information, or egress information;
		However, in the same field of endeavor, Phillips discloses wherein the table of network policies and rules further includes at least one of ingress information, or egress information ([0061] The policy generation component 302 can also receive user input information (e.g., via the user portal 223) defining one or more variables of the firewall policy rule, including by not limited to: a directionality of the traffic (e.g., ingress or egress)).
		Therefore, it would have been obvious to a person having ordinary skill in the art at the time of the invention was effectively filed to combine the teaching of the combination with Phillips. The modification would allow including directional parameters of the traffic in rules and policy information of access control to effectively steer traffic to authorized network elements for ensuring a secured communication.
		Regarding claim 10, the combination discloses the system of claim 8.
		All other limitations of claim 10 are similar with the limitations of claim 3 above. Claim 10 is rejected on the analysis of claim 3 above.
		Regarding claim 17, the combination discloses non-transitory computer readable storage medium of claim 15.
		All other limitations of claim 17 are rejected on the analysis of claim 3 above.

Conclusion--
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. -
Voit (US pg. no. 20180139240) 
    	 Wong (US pg. no. 20140208388).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MESSERET F GEBRE whose telephone number is (571)272-8272.  The examiner can normally be reached on M-F 9:30 AM-5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar Louie can be reached on 571-2701684.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MESSERET F GEBRE/Examiner, Art Unit 2445

/OSCAR A LOUIE/Supervisory Patent Examiner, Art Unit 2445