4:23-cv-02698
InfoExpress Inc v. Cisco Systems Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Infoexpress Inc. (California)
- Defendant: Cisco Systems Inc. (Delaware)
- Plaintiff’s Counsel: Saul Ewing LLP; Bunsow De Mory LLP
- Case Identification: 4:23-cv-02698, N.D. Cal., 09/28/2023
- Venue Allegations: Venue is alleged based on Defendant having an established place of business in the Northern District of California and having committed the alleged acts of infringement within the district.
- Core Dispute: Plaintiff alleges that Defendant’s Network Access Control (NAC) products, primarily its Identity Services Engine (ISE), infringe six patents related to systems and methods for dynamically controlling device access to secure computer networks.
- Technical Context: The technology at issue is Network Access Control (NAC), a foundational security component for enterprises that authenticates and authorizes devices, assesses their security compliance, and grants appropriate levels of network access.
- Key Procedural History: The complaint alleges a prior business relationship initiated in 2004, wherein Plaintiff joined Defendant’s “NAC Program” and shared technical details of its patented technology. Plaintiff further alleges that Defendant subsequently launched its own competing NAC product and had actual knowledge of at least two of the patents-in-suit as a result of citations made during the prosecution of Defendant’s own patent applications. This history is presented to support allegations of willful infringement.
Case Timeline
| Date | Event |
|---|---|
| 2003-09-24 | Earliest Priority Date for all Patents-in-Suit |
| 2003-01-01 | Plaintiff invents its CyberGatekeeper LAN (“CGK LAN”) product |
| 2004-01-01 | Defendant announces its industry NAC Program |
| 2004-11-01 | Plaintiff joins Defendant's NAC Program |
| 2009-04-21 | U.S. Patent No. 7,523,484 Issues |
| 2011-11-01 | U.S. Patent No. 8,051,460 Issues |
| 2012-02-14 | U.S. Patent No. 8,117,645 Issues |
| 2013-01-01 | U.S. Patent No. 8,347,350 Issues |
| 2013-11-05 | U.S. Patent No. 8,578,444 Issues |
| 2014-03-18 | U.S. Patent No. 8,677,450 Issues |
| 2023-09-28 | Amended Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 7,523,484 - Systems and Methods for Controlling Network Access
- Issued: April 21, 2009
The Invention Explained
- Problem Addressed: The patent describes prior art network security systems where a "gatekeeper" device must inspect all data traffic from an external device. This approach creates a performance bottleneck and is impractical and expensive to scale in large networks with numerous access points. (Compl. ¶40; ’484 Patent, col. 2:30-41).
- The Patented Solution: The invention proposes dividing a protected network into a "restricted subset" and a "less-restricted subset." An external device seeking access is initially connected only to the restricted subset, which contains a gatekeeper. The gatekeeper audits the device against a security policy. If the device complies, the gatekeeper sends a command to the network access point (e.g., a switch) to reconfigure the device's communication port, granting it access to the less-restricted subset. This allows subsequent data traffic to flow directly to the main network, bypassing the gatekeeper and avoiding the bottleneck. (Compl. ¶¶42-43; ’484 Patent, Abstract; col. 3:30-46).
- Technical Importance: This architecture offered a scalable method for enforcing endpoint security policies without degrading network performance, a key challenge as the number of personal and mobile devices connecting to corporate networks increased. (Compl. ¶40).
Key Claims at a Glance
- The complaint asserts independent claim 41. (Compl. ¶97).
- Claim 41 Elements:
- A method for providing access to a protected network comprising a restricted subset and a less-restricted subset.
- Receiving a request for access to the less-restricted subset from an access device external to the protected network.
- The request being received through a communication port of an access point, with the port configured for communication between the device and the restricted subset.
- Applying a security policy to the access device.
- Reconfiguring the communication port to allow communication between the device and the less-restricted subset without passing the data through a gatekeeper, if the security policy is satisfied.
- The complaint reserves the right to assert additional claims. (Compl. ¶97).
U.S. Patent No. 8,051,460 - Systems and Methods for Controlling Network Access
- Issued: November 1, 2011
The Invention Explained
- Problem Addressed: As with its parent, the ’484 Patent, the ’460 Patent addresses the scalability and performance limitations of security architectures where a gatekeeper appliance must inspect all network traffic. (’460 Patent, col. 2:31-42).
- The Patented Solution: The patent claims a network access control system that implements a similar process. An authentication module handles initial authentication, while a gatekeeper formulates and sends an audit request to the connecting device. Based on the device's response, the gatekeeper approves or denies access. An Extensible Authentication Protocol (EAP) server layer then configures the network access point to grant the approved device access. (’460 Patent, Abstract; col. 4:51-67).
- Technical Importance: This system provides a structured framework for integrating endpoint posture assessment directly into the network authentication process using standard protocols like EAP. (Compl. ¶44).
Key Claims at a Glance
- The complaint asserts independent claim 16. (Compl. ¶108).
- Claim 16 Elements:
- A network access control system.
- An authentication module stored in memory and executable to authenticate a device seeking access based on information received from the device.
- A gatekeeper stored in memory and executable to formulate an audit request, send the request, evaluate the response, and approve the device.
- An EAP server layer stored in memory and executable to receive authentication information via an EAP protocol and configure an access point in response to the gatekeeper's approval.
- The complaint reserves the right to assert additional claims. (Compl. ¶108).
U.S. Patent No. 8,677,450 - Systems and Methods of Controlling Network Access
- Issued: March 18, 2014
Technology Synopsis
This patent claims a method for network access control where an access point is configured to limit a connecting device to a restricted network subset characterized by an access control list (ACL). After a security policy is applied and satisfied, the access point is reconfigured to allow broader access. (Compl. ¶121; ’450 Patent, Abstract).
Asserted Claims
Independent claim 1. (Compl. ¶119).
Accused Features
The accused features are the functionalities of Cisco’s ISE to scan network devices, apply security policies, and reconfigure access points based on the policy results. (Compl. ¶121).
U.S. Patent No. 8,578,444 - Systems and Methods of Controlling Network Access
- Issued: November 5, 2013
Technology Synopsis
This patent describes a method for auditing a device by authenticating it using an EAP protocol, sending a request for audit data to an agent on the device, and applying a security policy based on both the audit data and the authentication. (Compl. ¶132; ’444 Patent, Abstract).
Asserted Claims
Independent claim 1. (Compl. ¶130).
Accused Features
The accused features include Cisco ISE’s use of EAP for authentication and its process of sending requests to and receiving data from endpoints to perform posture assessments before granting access. (Compl. ¶132).
U.S. Patent No. 8,347,350 - Systems and Methods of Controlling Network Access
- Issued: January 1, 2013
Technology Synopsis
This patent claims a method where audit data is received from a device that does not yet have access to a less-restricted network subset. The device is audited, and in response to a successful audit, an access point is reconfigured to grant access. The method includes continually receiving and evaluating updated audit data to monitor ongoing compliance. (Compl. ¶143; ’350 Patent, Abstract).
Asserted Claims
Independent claim 1. (Compl. ¶141).
Accused Features
The accused features are Cisco ISE’s functionalities for receiving device posture data, auditing it against policy, reconfiguring an access point (e.g., via VLAN reassignment) to grant access, and continually monitoring the device. (Compl. ¶143).
U.S. Patent No. 8,117,645 - Systems and Methods of Controlling Network Access
- Issued: February 14, 2012
Technology Synopsis
This patent claims a system that includes an authentication module, a gatekeeper that formulates and evaluates audit requests, and an EAP server layer. The EAP server layer receives authentication information and configures an access point based on the gatekeeper's approval. (Compl. ¶154; ’645 Patent, Abstract).
Asserted Claims
Independent claim 1. (Compl. ¶152).
Accused Features
The accused features include Cisco ISE’s system architecture, which allegedly contains an authentication module, a gatekeeper function for auditing, and an EAP server layer for configuring access points. (Compl. ¶154).
III. The Accused Instrumentality
Product Identification
The complaint names Cisco’s Identity Services Engine (“ISE”) software, used alone and in combination with Cisco hardware including wireless access points (Catalyst 9100 series, Meraki), Secure Network Servers (SNS), and 9000-series routers. (Compl. ¶34).
Functionality and Market Context
Cisco ISE is described as an "identity-based network access control and policy enforcement system" for enterprises. (Compl. ¶35). Its core accused function is to check the security "compliance, also known as posture, of endpoints, before allowing them to connect to your network." (Compl. ¶37). The complaint alleges that when a device connects, ISE first confines it to a restricted network space, such as an "Authorization VLAN." While the device is confined, ISE acts as a "security gatekeeper to assess the security posture of that device." If the device meets the security policy, ISE "reconfigures the access point by assigning the endpoint to another VLAN (e.g. Corporate VLAN)" where it can access secure resources. (Compl. ¶38). This process is depicted in a network diagram provided in the complaint. (Compl. p. 9, Fig. 30).
IV. Analysis of Infringement Allegations
The complaint references non-limiting claim charts in Exhibits FF-KK, which were not included with the filed complaint document. The following tables summarize the infringement theories for the lead patents based on the narrative allegations in the complaint.
U.S. Patent No. 7,523,484 Infringement Allegations
| Claim Element (from Independent Claim 41) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A method for providing access to a protected network comprising a restricted subset and a less-restricted subset... | Cisco's ISE architecture creates a restricted "Authorization VLAN" and a less-restricted "Corporate VLAN". | ¶38 | col. 3:1-4 |
| receiving a request for access to the less-restricted subset of the protected network from an access device... | An endpoint device connects to a Cisco access point, initiating a request to access the corporate network. | ¶38 | col. 4:16-20 |
| the request being received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network... | The access point initially places the endpoint onto the restricted "Authorization VLAN". | ¶38 | col. 3:20-22 |
| applying a security policy to the access device... | While the endpoint is on the restricted VLAN, Cisco's ISE assesses its security posture for compliance. | ¶37, ¶38 | col. 4:21-23 |
| reconfiguring the communication port for communicating data between the access device and the less-restricted subset of the protected network without passing the data through a gatekeeper, if requirements of the security policy are satisfied. | If the endpoint complies, ISE reconfigures the access point to assign the endpoint to the less-restricted "Corporate VLAN", allowing subsequent data to bypass the ISE policy engine. | ¶38, ¶42, ¶43 | col. 4:24-30 |
U.S. Patent No. 8,051,460 Infringement Allegations
| Claim Element (from Independent Claim 16) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| an authentication module... to authenticate a device seeking network access... | Cisco's ISE system authenticates connecting devices. | ¶36, ¶38 | col. 6:10-12 |
| a gatekeeper... to formulate an audit request, send the audit request to the device, evaluate device information received from the device... and approve the device based on evaluation of the device information... | Cisco's ISE performs a posture or compliance check on the endpoint to determine if it meets security requirements, thereby performing the gatekeeper function. | ¶37, ¶38 | col. 6:13-19 |
| an extensible authentication protocol (EAP) server layer... to receive the authentication information from the device using an EAP encryption protocol... | The accused system allegedly utilizes standard protocols such as EAP for authentication. | ¶44 | col. 6:20-23 |
| and configure an access point in response to approval of the device by the gatekeeper. | Based on a successful posture assessment by ISE, the system configures the access point to grant the device access to the less-restricted network (e.g., by changing its VLAN). | ¶38, ¶43 | col. 6:23-25 |
Identified Points of Contention
- Scope Questions: A central question may be whether Defendant's ISE, a software-based policy engine that may run on a separate server, meets the definition of a "gatekeeper" as described in the patents, particularly where patent figures illustrate the gatekeeper as a distinct network appliance. (e.g., ’460 Patent, Fig. 2). Further, the analysis may examine whether the alleged "restricted" and "less-restricted" subsets in the accused system correspond in scope to the subsets claimed in the patents.
- Technical Questions: The infringement theory for the ’484 Patent relies on the allegation that after an endpoint is granted access, its data traffic does not pass through the gatekeeper. (Compl. ¶42). A factual question for the court will be whether Cisco’s ISE architecture operates in this manner, or if certain types of monitoring or control traffic continue to be processed by the ISE policy engine post-authentication.
V. Key Claim Terms for Construction
The Term: "gatekeeper"
Context and Importance
This term is the central component that performs the security audit. Its construction is critical because the accused "gatekeeper" is a modern software platform (Cisco ISE), whereas the patent specification was written in the context of earlier network appliances. The scope of this term will determine if a distributed software function can infringe claims written with a hardware-centric embodiment in view.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: The claims define the "gatekeeper" functionally, by what it does (e.g., "formulate an audit request," "evaluate device information," "approve the device"), rather than by its specific hardware or software structure. (’460 Patent, col. 8:13-19). This may support an interpretation covering any component that performs these functions.
- Evidence for a Narrower Interpretation: The detailed description repeatedly illustrates the "GateKeeper" as a discrete component within the network diagram, separate from the access point and other servers. (’460 Patent, Fig. 2, element 225). A defendant may argue this context limits the term to a single, localized appliance rather than a distributed software service.
The Term: "reconfiguring the communication port"
Context and Importance
This is the mechanism by which the invention grants access without creating a bottleneck. The complaint alleges this is accomplished by "VLAN reassignment." (Compl. ¶43). The dispute will turn on whether the accused method of changing a device's network access rights constitutes "reconfiguring" the physical or logical port in the manner claimed.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: The specification explicitly states that "The reconfiguration typically includes reassigning the communication port from the restricted VLAN to the less-restricted VLAN." (’484 Patent, col. 3:26-29). The use of "typically" suggests VLAN reassignment is one example, not the only possible method, potentially broadening the term to cover other logical reassignments.
- Evidence for a Narrower Interpretation: The primary embodiment described and illustrated focuses on VLANs as the mechanism for defining network subsets and controlling access. A defendant may argue that this repeated emphasis limits the scope of "reconfiguring" to methods that are the same or equivalent to VLAN reassignment. (’484 Patent, col. 3:1-14).
VI. Other Allegations
Indirect Infringement
The complaint alleges inducement through extensive customer-facing materials, including the "ISE Admin Guide," training videos, software updates, and online support communities that allegedly instruct customers on how to configure and use the accused products in an infringing manner. (Compl. ¶¶86, 98). It alleges contributory infringement on the basis that Cisco’s Secure Network Servers are material components specially adapted to run the infringing ISE software and are not staple articles of commerce with substantial noninfringing uses. (Compl. ¶¶90-91, 99). A provided screenshot from a Cisco training video illustrates options for "Limited (VLAN, ACL, etc.)" access and "Dynamic VLAN Assignments," which the complaint offers as evidence of instruction to infringe. (Compl. p. 23).
Willful Infringement
Willfulness is alleged based on both pre- and post-suit knowledge. Pre-suit knowledge is alleged to arise from a prior business relationship between the parties and from Defendant’s own patent prosecution history, where the ’484 Patent (as a published application) and a related patent were cited by the USPTO against Defendant’s own patent applications. (Compl. ¶¶76-82).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the term "gatekeeper," which the patents describe as a discrete network component, be construed to cover Defendant's modern, software-defined Identity Services Engine, a system that may be distributed across multiple servers? The outcome may depend on whether the court adopts a functional definition based on the claimed actions or a structural one based on the patent's embodiments.
- A key evidentiary question will be one of knowledge and intent: will the alleged history between the parties, including the prior business relationship and the patent prosecution citations, be sufficient to establish that Defendant knew of the patents and the alleged infringement, thereby supporting the claim for willful infringement and potential enhanced damages?