PATROLL Winning Submission

U.S. Patent 7,739,302

The patent-at-issue, U.S. Patent 7,739,302 (“Firenet”), which was filed on Sep. 11, 2001
and claims a Sep. 1, 1998 priority date, is directed to a dedicated firewall security for a network
attached device (NAD) provided by a firewall management system integrated directly into the
NAD or into a NAD server. A local area network arrangement includes a network client and the
NAD and the firewall management system includes computer readable medium having
computer-executable instructions that perform the steps of receiving a request for network access
to the NAD from the network client, determining whether the request for network access to the
NAD is authorized, and only if the request for network access is authorized, providing the
network client with network access to the NAD.

The article “Firewalls” (“Firewalls”) was published online on May 1, 1997.

(https://courses.cs.washington.edu/courses/csep561/97sp/paper1/paper09/)

U.S. Patent 6,272,127 (“Ehron”), which was filed on Nov. 10, 1997 without any claim to
an earlier priority date, is directed to a system that provides broadband multimedia
communication over the standard circuit-switched public switched telephone network
infrastructure (PSTN) and other physical or virtual circuit-switched infrastructures while
simultaneously and transparently interoperating with the public Internet packet-switched
infrastructure to effectively merge the capabilities of the two types of infrastructures. The
invention allows users to establish both packet-switched connections for sending or receiving
content for which low-latency and unpredictable response times are not a problem (i.e. text,
small graphics, e-mail, small file transfers); and circuit-switched connections for sending or
receiving content that benefits from streaming data at fixed data rates, without contention for
bandwidth from other users during a communication session, (i.e. video, voice, complex graphics
and animations, or large file transfers).

A sample claim chart comparing Firenet to Firewalls and Ehron is provided below.

PATROLL – Prior Art Crowdsourcing

http://patroll.unifiedpatents.com
 US7739302 (“Firenet”)
[1.pre.] 1. A network arrangement
comprising:
a network client and at least one
network attached device (NAD)
residing on a same network;
----------------------
US7739302
“Network clients 114 send data packets,
containing NAD-access requests, to the NAD
server 110.”
“The NAD server 110 operates in a networked
computer environment, using logical connections Internet Protocol (IP) addressing to control circuit
to one or more remote computers, such as a
network client 114.”
“A network attached device (NAD) may be
any type of hardware unit that is connected to
a computer network. Exemplary NADs
include, but are not limited to: CD-ROM drives,
DVD drives, optical drives, tape drives, hard
disk drives, ZIP drives, JAZ drives, routers,
printers, facsimile machines, audio devices, and
Firewalls & US672127 (“Ehron”)
A. Firewalls
No similar disclosure found.
B. US6272127
“Yet another object of the present invention is to provide a
network that combines access to the public Internet for
access to packet-switched services such as a user's LAN
and/or the Internet, and to the PSTN infrastructure for
access to wide area point-to-point switched-circuit
services, using a single physical access connection to an
individual user, with seamless World Wide Web browser
software control of both classes of service, and the use of
switching over the PSTN circuit switching and transport
infrastructure.” Ehron at 2:40-49.
“Workstation interface 140-A intercepts user A's request
for a videoconference, sets up streams for the necessary
media devices (e.g., camera, microphone, speaker,
video display), and formats a request for sending to the
network control system server 40 via signaling network
PATROLL – Prior Art Crowdsourcing
http://patroll.unifiedpatents.com
video devices. NADs are generally connected
to a local area network (LAN) via a NAD
server. A NAD server provides the users of the
LAN with access to the resources of the
network.”
[1.a.] a NAD server disposed between
the network client and the NAD,
----------------------
US7739302
“A NAD server generally refers to a node
(computer) on the LAN that permits other
nodes on the LAN to access one or more NADs.
A NAD server processes NAD-access requests
and provides the appropriate access to a NAD.
The NAD server may send incoming data from
the requesting node to the NAD, or may retrieve
data from the NAD and send the retrieved data
back to the requesting node. NAD servers are
generally dedicated servers, meaning that their
sole purpose is to provide access to NADs. NAD
servers often support multiple network protocols,
which allow them to accept NAD-access
requests from various nodes in a heterogeneous
network environment.”
30.” Id. at 54:48-52.
“Monitor overlay and output block 300 receives the video
display signal from user workstation 100 and outputs a
video display signal to the user workstation 100 display
monitor 101. During a broadband network connection,
monitor overlay and output block 300 also may receive
video signals from the network, or locally connected
cameras 154, via encode/decode block 302.” Id. at 11:22-
28.
A. Firewall
“A server which is part of the internal network which
services dialup connections. Off-site employees can
access this server with their username and password in
order to access the internal networks, including mail,
FTP, product development and internal Web information.”
Firewalls.
“As a growing software company, RCS attends
approximately 150 trade shows per year. Since RCS has
products that involve logging into large computers, a demo
at a trade show would always include a remote login back
to a host Seattle.” Id.
“There are four areas in this network plan where RCS is
currently researching a future direction: remote access
to mail, virtual private networks, product distribution
via the World Wide Web, and firewall redundancy.”
PATROLL – Prior Art Crowdsourcing
http://patroll.unifiedpatents.com
“A NAD server may be managed remotely by Id.
network clients.

B. US6272127
“Network control system server 40 handles routing and
billing of connections between network users. Signaling
network 30 consists of packet-switched links and routers
that are secured from intrusion by users outside the
broadband network.” Ehron at 5:47-52.

“For reliability and stability, network control system

server 40 actually comprises one or more farms of
computing equipment which each calculate circuit-
switched connection routes, control switching and user
terminal equipment, and provide network
provisioning, monitoring, and management.” Id. at
45:33-38.

“An embodiment of one farm in a network control

system server 40 according to the present invention is
shown in FIG. 45. As can be seen, it includes a router 71,
a director 72, route controllers 73, switch monitors 74, a
database server 76, and signaling network interfaces
81, all connected on a high speed local network 75.” Id. at
45:56-61.

“The database server 76 provides access to disk array

77. Disk array 77 is also attached to low speed local
network 78 for maintenance and billing.” Id. at 45:61-63.

“Also attached to low speed local network 78 are

provisioning manager 79, graph calculator 80, and billing
management component 82. Signaling interfaces 81
provide communications to all network elements
connected via signaling network 30 and router 71.” Id.

PATROLL – Prior Art Crowdsourcing

http://patroll.unifiedpatents.com
 at 45:64 to 46:1.

“It is one of the objects of the present invention, and new

in the art, that a user's particular multimedia
communication traffic can be carried transparently end-
to-end using different types of underlying switching and
data transport methodologies, even on different segments
of a given connection between two or more users, under
the common control of the network control system
server 40.” Id. at 5:62-67 to 6:1-2.

“When a circuit-switched connection is being set up,

information sent over the signaling network 30 to the
network control system server 40 from the premises
switches 110 involved at both the originating and
terminating ends of the connection includes the IP and
Ethernet addresses of the originating user workstation
100 and its associated workstation interface 140 and
the terminating user workstation 100 and its associated
workstation interface 140.” Id. at 36:41-49.

[1.b.] the NAD server being configured A. Firewalls

to electronically communicate with the
NAD over a connection, No similar disclosure found.

B. US6272127
“When a circuit-switched connection is being set up,

PATROLL – Prior Art Crowdsourcing

http://patroll.unifiedpatents.com

[1.c.] the NAD server being further
configured to receive request contained
in a data packet for network access to
the NAD,
information sent over the signaling network 30 to the
network control system server 40 from the premises
switches 110 involved at both the originating and
terminating ends of the connection includes the IP and
Ethernet addresses of the originating user workstation
100 and its associated workstation interface 140 and the
terminating user workstation 100 and its associated
workstation interface 140.” Ehron at 36:41-49.
“In this configuration, the destination address for the video
output from the video server is defined as the IP address
assigned by network control system server 40 for the
video portion of the broadband connection.” Id. at
38:32-35.
A. Firewalls
“A server which is part of the internal network which
services dialup connections. Off-site employees can
access this server with their username and password in
order to access the internal networks, including mail,
FTP, product development and internal Web information.”
Firewalls.
“In addition, proxy servers can proved additional
PATROLL – Prior Art Crowdsourcing
http://patroll.unifiedpatents.com
features such as user authentication, enhanced logging,
and protocol specific filtering. For example, the proxy
server can be configured to allow FTP get commands from
the internal network, but deny FTP put commands to the
internal network.” Id.

B. US6272127
“When a new connection is to be made within the
broadband network, the originating workstation
interface 140 sends a connection setup request to
network control system server 40 over signaling network
30, preferably via TCP.” Ehron at 51:4-7.

“An embodiment of one farm in a network control

system server 40 according to the present invention is
shown in FIG. 45. As can be seen, it includes a router 71,
a director 72, route controllers 73, switch monitors 74, a
database server 76, and signaling network interfaces 81,
all connected on a high speed local network 75.” Id. at
45:56-61.

“Signaling interfaces 81 receive bandwidth reservation

requests from network elements which require the
bandwidth (typically user workstations 100 or
workstation interfaces 140 using software described in
Section I).” Id. at 51:13-16.

“The signaling interface is responsible for contacting

any other network elements known to the user
initiating a request for a switched-circuit connection
(these other network elements are typically other user
workstations or information servers such as web
servers also connected to the broadband network that
will benefit from this bandwidth reservation and

PATROLL – Prior Art Crowdsourcing

http://patroll.unifiedpatents.com
 subsequent switched-circuit connection), and for executing
a message exchange with the other network elements using
a predetermined protocol for determining whether the
users of those other network elements wish to participate
in the reservation of bandwidth for a particular
connection.” Id. at 51:16-26.

[1.d.] the NAD server including A. Firewalls

computer executable instructions that, “One of the main disadvantages is of packet filtering that
upon execution, cause the NAD server it is more limited in the types of access control that it
to: provides. Routers can only filter based on host addresses,
and type of service. They do not have the ability to filter
determine whether the header of service based on user, or on the type of operation being
a received data packet performed. For example, you may want to allow users on
containing the request for network the external network to use FTP to get files from your site,
access includes but be able to put files. Packet filtering does not provide a
mechanism to do this. It can also be difficult to set up a
(i) at least one of an IP address rules table that is correct, and that accurately reflects your
of a network source, security model.” Firewalls.

(ii) an IP address of a network “IP packet filtering is performed at the network level use a
destination, screening router. The router parses the network packet
headers for the following information

 packet type (TCP, UDP, etc.)

 source and destination IP address

PATROLL – Prior Art Crowdsourcing

http://patroll.unifiedpatents.com
  destination TCP/UDP port

to filter which packets are allowed into or out of your

internal network.” Id.

B. US6272127
“However, the table assignments for circuit-switched
connections are determined and transmitted by
network control system server 40 to premises switch
110 when a connection is being set up, and the
assignments last only as long as the connection lasts.”
Ehron at 33:10-16.

“As shown in FIG. 19, premises switch 110 includes a

routing function 113, bonder 114, network interface card
115, CPU 116, RAM 117, network address translation
function 119, network command translation function 121,
and bonding function 123 that communicate via bus 118.
Packet switch 112 communicates with network interface
card 115 via an Ethernet link.” Id. at 25:26-32.

“Routing function 113 is shown separately for clarity, but

may be implemented as software running on CPU 116 or
other processor. It is responsible for screening data packets
received via packet switch 112 and directing them to the
appropriate output port of bonder 114. It also performs
security functions that provide additional safeguards
against unauthorized use of the broadband network by, for
example, further screening the destination and source
addresses of the packets.“ Id. at 26:14-21.

PATROLL – Prior Art Crowdsourcing

http://patroll.unifiedpatents.com
 “When a data packet is received from packet switch 112,
routing function 113 inspects the destination IP
address in the header. If the destination IP address
matches one of the table entries, routing function 113
further compares the source IP address and source
Ethernet address to the table entries and drops the packet if
they do not match. Otherwise, the packet is forwarded to
bonder 114 for transmission.” Id. at 33:32-39.

[1.e.] (iii) and a route of the data A. Firewalls

packet,
No similar disclosure found.

B. US6272127
“Since the IP address of the premises switch is included
in the broadband network user's routable phone
number, this number can be used to readily determine
the route between any two users in the network with
any intermediate number of city nodes when a connection
is requested between the two users, or by precalculating a
list of routes, as will now be explained in more detail.”
Ehron at 47:1-7.

“52. A network for establishing a connection between at

least two network elements over a circuit-switched
infrastructure, said infrastructure being one of a physical
and virtual circuit-switched infrastructure, said network

PATROLL – Prior Art Crowdsourcing

http://patroll.unifiedpatents.com
 elements having respective IP addresses, said network
comprising:
a network control system server that establishes a circuit
of said circuit-switched infrastructure between said
two network elements in accordance with a route
determined on the basis of said respective IP addresses
of said network elements,
wherein said network control system server assigns
temporary IP addresses for said connection, said at least
two network elements communicating over said circuit via
said temporary IP addresses.” Ehron, claim 52.

[1.f.] the NAD being further configured A. Firewalls

to filter the data packet based at least “A packet filtering architecture typically consists of a
on an IP address in a header of the single screening router that is placed between the
data packet and to: internal and external network (see figure 1).” Firewalls.

US6272127
“Routing function 113 is shown separately for clarity, but
may be implemented as software running on CPU 116 or
other processor. It is responsible for screening data packets
received via packet switch 112 and directing them to the
appropriate output port of bonder 114. It also performs
security functions that provide additional safeguards
against unauthorized use of the broadband network by, for
example, further screening the destination and source
addresses of the packets.“ Ehron at 26:14-21.

PATROLL – Prior Art Crowdsourcing

http://patroll.unifiedpatents.com
[1.g.] determine whether the received A. Firewalls
request for network access to the NAD
is authorized; and No similar disclosure found.

US6272127
“Routing function 113 is shown separately for clarity, but
may be implemented as software running on CPU 116 or
other processor. It is responsible for screening data
packets received via packet switch 112 and directing them
to the appropriate output port of bonder 114. It also
performs security functions that provide additional
safeguards against unauthorized use of the broadband
network by, for example, further screening the destination
and source addresses of the packets.” Ehron at 26:14-21.

“Routing function 113 then inspects the packet's source

Ethernet (Src E'Net) and IP address (Src IP) to determine
if the user sending the packet is authorized to use the
broadband network. If so, the packet is routed to the
appropriate port of the bonder module Internet access.” Id.
at 36:2-7.

[1.h.] provide the network client with A. Firewalls

network access to the NAD only if the “A firewall system can not solve all Internet security

PATROLL – Prior Art Crowdsourcing

http://patroll.unifiedpatents.com
request for network access is
authorized,
such that the NAD is protected from
unauthorized access requests from the
network client and other devices
in a manner that is in addition to any
protection afforded by a firewall.
----------------------
US7739302
Bastion firewalls are typically the only layer of traffic to and from the internal systems to one of the hosts
security for NADs attached to a LAN. NAD
servers are not equipped with a second layer of
security because it is generally accepted that
such a second layer of security is redundant with
the bastion firewall. Therefore, once a bastion
firewall is penetrated, whether by an authorized
or unauthorized user, the user typically gains
unrestricted access to all resources of the LAN,
including any NADs. However, the level of
security provided by a bastion firewall may not
always supply adequate protection for the NADs
of a LAN. For example, it may be desirable to
establish varying levels of security clearance,
such that only certain authorized users of the
LAN are permitted to access a particular NAD
server. Also, if a NAD server provides access to
valuable or sensitive data stored on a NAD, it
may be desirable to implement extra security
measures to prevent an unauthorized user of the
LAN, who happens to penetrate the bastion
firewall, from gaining access to the NADs.
Accordingly, there remains a need for a NAD
server having an integrated firewall, which
provides an additional layer of security for a
NAD beyond that provided by a bastion
issues. For example, it does not provide protection from
insider attacks. It is also not very useful to set up a firewall
if you users will set up unrestricted modems on internal
machines.” Firewalls.
“The screened subnet architecture adds an extra level
of security by creating a screened subnet (also referred
to as a perimeter network or a "DMZ") between the
internal and external networks. There may be one or
more application gateways on the screened subnet. The
exterior router restricts Internet access to specific
systems on the screened subnet. The inner router passes
on the screened subnet. Thus, no site system is directly
reachable from an external system and vice-versa.” Id.
B. US6272127
“Packets that are forwarded from the packet switch 112 to
bonder 114 within premises switch 110 can have three
possible destinations. First, the packet can be destined for
the Internet. Such packets arriving at routing function
113 have a destination IP address assigned for Internet
access (Dest IP=Internet Access IP). Routing function
113 then inspects the packet's source Ethernet (Src
E'Net) and IP address (Src IP) to determine if the user
sending the packet is authorized to use the broadband
network. If so, the packet is routed to the appropriate port
of the bonder module Internet access.” Ehron at 35:64 to
36:7.
“The premises switch can thus insure that only the parties
involved in the particular connection are allowed to use
the switched bandwidth provided for that connection.”
Id. at 37:10-13.
PATROLL – Prior Art Crowdsourcing
http://patroll.unifiedpatents.com
firewall.
“Should the arriving packet not be from a user
workstation or workstation interface that is authorized to
send traffic on the specific broadband network switched
connection, the packet is discarded by the premises
switch.” Id. at 28: 30-34.

“As another alternative, switch commanders may be

physically located at the site of the network control system
server 40. In this case, X.25 is carried over leased lines to
the appropriate DACS to be controlled, while the switch
commander itself is accessed via the network control
system server's own Ethernet. If such configurations of
switch commanders are provided, an Internet subnet
may also be provided with appropriate firewalls and
security so the carrier providing DACS switching services
can be provided with access to billing and auditing records
from the switch commander.” Id. at 41:9-19.

“Routing function 113 is shown separately for clarity, but

may be implemented as software running on CPU 116 or
other processor. It is responsible for screening data packets
received via packet switch 112 and directing them to the
appropriate output port of bonder 114. It also performs
security functions that provide additional safeguards
against unauthorized use of the broadband network by,
for example, further screening the destination and source
addresses of the packets.” Id. at 26:14-21.

PATROLL – Prior Art Crowdsourcing

http://patroll.unifiedpatents.com