DCT
1:18-cv-05564
Firenet Tech LLC v. Kemp Tech Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: FireNet Technologies, LLC (Georgia)
- Defendant: KEMP Technologies Inc. (Delaware)
- Plaintiff’s Counsel: Kheyfits Belenky LLP
- Case Identification: 1:18-cv-05564, S.D.N.Y., 08/20/2018
- Venue Allegations: Venue is alleged to be proper as Defendant is headquartered in the State of New York, maintains a regular and established place of business in the district, and has committed alleged acts of patent infringement in the district.
- Core Dispute: Plaintiff alleges that Defendant’s LoadMaster line of networking products and services infringes four U.S. patents related to network security, specifically the use of dedicated firewalls to protect network attached devices.
- Technical Context: The technology at issue concerns methods and systems for providing a dedicated, secondary layer of firewall protection for specific devices within a corporate or cloud network, a foundational concept in modern layered security architectures.
- Key Procedural History: The complaint details pre-suit notice provided to Defendant on April 12, 2018. Subsequent to the filing of the complaint, U.S. Patent No. 8,892,600 underwent an inter partes review (IPR2020-00471), which resulted in the cancellation of all asserted claims (1-17, 19-23) in a certificate issued October 12, 2021. The complaint’s infringement count for this patent, which relies on at least the now-cancelled claim 8, may be impacted by this proceeding.
Case Timeline
| Date | Event |
|---|---|
| 1998-09-01 | Earliest Priority Date for all Patents-in-Suit |
| 2001-11-13 | U.S. Patent No. 6,317,837 Issued |
| 2010-06-15 | U.S. Patent No. 7,739,302 Issued |
| 2012-06-20 | Alleged Infringement Commenced ("at least six years prior") |
| 2012-11-06 | U.S. Patent No. 8,306,994 Issued |
| 2014-11-18 | U.S. Patent No. 8,892,600 Issued |
| 2015-01-16 | Accused Product testing mentioned in social media post |
| 2018-04-12 | Plaintiff sends notice letter to Defendant |
| 2018-06-20 | Original Complaint Filed |
| 2018-08-20 | First Amended Complaint Filed |
| 2021-10-12 | IPR Certificate Issued Cancelling Asserted ’600 Patent Claims |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 6,317,837 - Internal Network Node With Dedicated Firewall
- Patent Identification: U.S. Patent No. 6,317,837, Internal Network Node With Dedicated Firewall, issued November 13, 2001.
The Invention Explained
- Problem Addressed: The patent’s background section describes that conventional network security relies on a single "bastion firewall" to protect an entire internal network (LAN) from external threats. A key vulnerability of this architecture is that once this perimeter is breached, an intruder often gains unrestricted access to all devices on the LAN, including sensitive Network Attached Devices (NADs) like file servers or printers (’837 Patent, col. 1:33-59).
- The Patented Solution: The invention proposes a NAD server that incorporates its own integrated, dedicated firewall. This creates a distinct, second layer of security specifically for the NAD. This dedicated firewall is designed to screen all access requests directed to its associated NAD, including requests originating from within the supposedly secure internal network. It filters these requests based on information in the data packet headers, such as IP addresses, thereby protecting the NAD from unauthorized access even from other nodes on the same LAN (’837 Patent, col. 2:1-14; Fig. 1).
- Technical Importance: The invention describes an early implementation of device-centric security within a trusted network, a principle that anticipates modern "zero-trust" security models where no traffic, internal or external, is implicitly trusted (’837 Patent, col. 1:50-59).
Key Claims at a Glance
- The complaint asserts at least independent method claim 37 (Compl. ¶20).
- Essential elements of claim 37 include:
- A method of managing access to a NAD within a network arrangement that has distinct internal and external networks, where a bastion firewall separates the two.
- Determining for "each and every request" whether access to the NAD is authorized.
- Providing access when the request is authorized.
- Denying access when the request is not authorized.
- The result is that the NAD is protected by a "dedicated NAD firewall" from unauthorized requests originating from "intermediate and internal and external nodes" of the network.
U.S. Patent No. 7,739,302 - Network Attached Device With Dedicated Firewall Security
- Patent Identification: U.S. Patent No. 7,739,302, Network Attached Device With Dedicated Firewall Security, issued June 15, 2010.
The Invention Explained
- Problem Addressed: Similar to its parent patent, the ’302 Patent addresses the inadequacy of relying solely on a perimeter bastion firewall, which leaves internal resources vulnerable once penetrated (’302 Patent, col. 1:44-54).
- The Patented Solution: The patent claims a specific network arrangement comprising a network client, a NAD, and a NAD server all residing on the same network. The NAD server is positioned between the client and the NAD and contains instructions to filter access requests. It examines the header of an incoming data packet (for source IP, destination IP, etc.) to determine if the request is authorized and, only if authorized, grants the client access to the NAD. This protection is explicitly claimed as being "in addition to any protection afforded by a firewall" (’302 Patent, col. 2:10-48; Abstract).
- Technical Importance: This patent refines the dedicated firewall concept by claiming a specific system architecture and the server's explicit function of packet header-based filtering as an additional, distinct layer of security (’302 Patent, col. 9:1-9).
Key Claims at a Glance
- The complaint asserts at least independent claim 1 (Compl. ¶31).
- Essential elements of claim 1 include:
- A network arrangement with a network client, a NAD, and a NAD server residing on the same network.
- The NAD server is disposed between the client and the NAD and is configured to receive data packets requesting access to the NAD.
- The NAD server has instructions to determine if the packet header contains certain information (e.g., source IP, destination IP).
- The server determines if the request is authorized based on this information.
- The server provides the client with access to the NAD "only if the request for network access is authorized."
- This protection is "in addition to any protection afforded by a firewall."
U.S. Patent No. 8,306,994 - Network Attached Device With Dedicated Firewall Security
- Patent Identification: U.S. Patent No. 8,306,994, Network Attached Device With Dedicated Firewall Security, issued November 6, 2012.
- Technology Synopsis: This patent claims a method for providing dedicated firewall security for a Network Attached Device (NAD). The method involves a NAD server processing a request for a NAD device, where the NAD is only accessible through that server. The NAD server includes a firewall that determines whether to authorize or deny the request based on filtering the IP header of the data packet, thereby protecting the NAD from undesirable requests (’994 Patent, Abstract; Compl. ¶42).
- Asserted Claims: The complaint asserts at least method claim 10 (Compl. ¶42).
- Accused Features: The firewall functionality of the KEMP LoadMaster, such as Access Control Lists, is alleged to perform the claimed method of processing, filtering, and authorizing or denying access requests to a Web Access server based on the IP header of the request packet (Compl. ¶42).
U.S. Patent No. 8,892,600 - Network Attached Device With Dedicated Firewall Security
- Patent Identification: U.S. Patent No. 8,892,600, Network Attached Device With Dedicated Firewall Security, issued November 18, 2014.
- Technology Synopsis: This patent describes a computer-implemented method where a first computing device on an internal network receives data packets, some originating externally. It examines the packets for an IP address associated with an "attached device" (e.g., a hard drive) that is coupled to a second, isolated computing device. The first device filters, authorizes, and then reformulates the data packets to enable communication with the attached device (’600 Patent, Abstract; Compl. ¶53).
- Asserted Claims: The complaint asserts at least method claim 8 (Compl. ¶53).
- Accused Features: The KEMP LoadMaster is alleged to function as the "first computing device" that receives packets, filters them using an Access Control List, and "reformulates" them (e.g., by changing header fields or decrypting) to allow access to an attached device (like a hard drive) on a separate Web Access server, which acts as the "second computing device" (Compl. ¶53).
III. The Accused Instrumentality
Product Identification
The complaint names Defendant KEMP's networking products and services, including the LoadMaster Virtual (VLM series), LoadMaster Cloud, LoadMaster Hardware (LM series), and LoadMaster Bare Metal (LMB series) product lines (Compl. ¶19). These are referred to collectively as the "Accused Products."
Functionality and Market Context
The Accused Products are described as application delivery controllers and load balancers used to manage network traffic and access to servers, such as a Web Access server (Compl. ¶20, 42). The complaint alleges that a key functionality is the use of Access Control Lists to determine, based on information like IP addresses in a packet header, whether a request for network access is authorized (Compl. ¶20). The complaint further alleges that KEMP offers professional services for deployment and configuration, as depicted in a table of services on its website, and has performed over 40,000 implementations, suggesting a significant market presence (Compl. ¶21, Ex. F).
IV. Analysis of Infringement Allegations
’837 Patent Infringement Allegations
| Claim Element (from Independent Claim 37) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A method of managing access to a network attached device (NAD) in a network arrangement including a first group of nodes defining an internal network and a second group of nodes defining an external network... | KEMP's Accused Products are used in a network arrangement to manage access to a NAD, such as a Web Access server. The arrangement has an internal network (e.g., servers) and an external network (e.g., Internet clients). | ¶20 | col. 7:5-13 |
| ...the external network being connected in communication with the internal network by an intermediate node including a bastion firewall... | The external network connects to the internal network "through a firewall in the perimeter network." | ¶20 | col. 1:33-39 |
| determining for each and every request for network access to the NAD whether each request for network access to said NAD is authorized... | The Accused Products, using an Access Control List, determine for each packet destined to the NAD whether it is authorized. | ¶20 | col. 7:56-59 |
| providing network access to said NAD when a request is authorized, and denying network access to said NAD when a request is not authorized... | The KEMP LoadMaster provides network access when a request is authorized and denies network access when a request is not authorized. | ¶20 | col. 8:27-30 |
| whereby the NAD is protected by a dedicated NAD firewall... from unauthorized network access requests originating at the... internal and external nodes of the network arrangement. | The KEMP LoadMaster itself is alleged to function as the dedicated NAD firewall, protecting the Web Access server from requests originating at internal, intermediate, and external nodes based on their IP addresses. | ¶20 | col. 2:1-4 |
- Identified Points of Contention:
- Scope Questions: A central question may be whether the KEMP LoadMaster's Access Control List functionality meets the claim limitation of a "dedicated NAD firewall." The defense may argue that this is a standard feature of a load balancer, not the specific "second layer" of security wrapped "exclusively around a NAD" as described in the patent (’837 Patent, col. 8:62-64).
- Technical Questions: The claim requires protection from internal nodes. The complaint alleges KEMP's own testing of its "#LoadMaster test racks" constitutes direct infringement (Compl. ¶23, Ex. H). However, a factual question remains as to whether the standard configuration of the Accused Products is set up to filter requests originating from within the trusted internal network, as opposed to primarily filtering external traffic.
’302 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A network arrangement comprising: a network client and at least one network attached device (NAD) residing on a same network; a NAD server disposed between the network client and the NAD... | A KEMP LoadMaster (the NAD server) is disposed between a client and a Web Access server (the NAD), all residing on the same local area network (LAN). | ¶31 | col. 9:1-9 |
| ...determine whether the header of a received data packet... includes at least one of an IP address of a network source, an IP address of a network destination, and a route... | The KEMP LoadMaster includes instructions to process incoming packets and determine the presence of an IP Source Address field in the packet header. | ¶31 | col. 9:28-33 |
| ...determine whether the received request for network access to the NAD is authorized. | The KEMP LoadMaster references an Access Control List to determine whether the request for the Web Access server is authorized. | ¶31 | col. 9:39-44 |
| ...provide the network client with network access to the NAD only if the request for network access is authorized, such that the NAD is protected... in a manner that is in addition to any protection afforded by a firewall. | The instructions on the KEMP LoadMaster provide access to the Web Access server only if requests are authorized, which is alleged to be a protection "in addition to the protection afforded by a firewall as shown in Ex. E at 7." | ¶31 | col. 9:45-53 |
- Identified Points of Contention:
- Scope Questions: The infringement theory may face scrutiny over the limitation "in addition to any protection afforded by a firewall." The complaint alleges both that the LoadMaster provides this "additional" protection and, in other sections, that the LoadMaster itself is the firewall (Compl. ¶31, 42). This raises the question of whether a single device's functionality can be both "a firewall" and "in addition to" a firewall, or if the claim requires two distinct security mechanisms.
- Technical Questions: The complaint cites a diagram showing a perimeter firewall and then alleges the LoadMaster's instructions provide additional protection (Compl. ¶31; Ex. E at 7). The technical evidence will need to establish that the LoadMaster's filtering is a separate and distinct security function, not merely one component of a single, unified firewall system.
V. Key Claim Terms for Construction
The Term: "dedicated NAD firewall" (from ’837 Patent, claim 37)
Context and Importance: This term is the core of the invention claimed in the ’837 Patent. The outcome of the infringement analysis for this patent will likely depend on whether the functionality of the KEMP LoadMaster can be properly characterized as a "dedicated NAD firewall." Practitioners may focus on this term because it appears to require more than a general-purpose firewall.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification describes the firewall component's function in broad terms as implementing "a series of tests to determine whether a data packet is valid" based on information in the packet header (’837 Patent, col. 2:15-24). This language could support an argument that any device component that performs header-based packet filtering for a NAD meets the definition.
- Evidence for a Narrower Interpretation: The specification repeatedly frames the invention as a "second layer of security" that "wraps a dedicated firewall around only an associated NAD" to protect it from threats that have already bypassed the main "bastion firewall" (’837 Patent, col. 3:7-11). This could support a narrower construction requiring a security function that is logically separate from, and secondary to, a primary network firewall.
The Term: "in addition to any protection afforded by a firewall" (from ’302 Patent, claim 1)
Context and Importance: This limitation is critical for distinguishing the claimed invention from a conventional, single-firewall network. To prove infringement, the plaintiff must show that the accused system provides protection that is separate and additional to other firewall protections.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: This phrase could be interpreted to mean any additional security rule or check, even if implemented on the same physical appliance that performs other firewall functions. The complaint appears to adopt this view by alleging the LoadMaster itself provides this "additional" protection (Compl. ¶31).
- Evidence for a Narrower Interpretation: The patent’s background explicitly contrasts the invention with the conventional view that "a second layer of security is redundant with the bastion firewall" (’302 Patent, col. 1:55-58). This suggests the invention is meant to be a non-redundant, distinct layer of security, which could require evidence of two separate protective mechanisms.
VI. Other Allegations
- Indirect Infringement: The complaint alleges that KEMP induces infringement by "actively and knowingly inducing, directing, causing, and encouraging" customers and partners to use the Accused Products in an infringing manner. This is allegedly done by providing instructional materials such as deployment guides, installation guides, and instructional videos on its website (Compl. ¶25, 36, 47, 58).
- Willful Infringement: The complaint alleges willful infringement for all four patents. The basis for willfulness is KEMP's alleged knowledge of the patents-in-suit as of FireNet's notice letter dated April 12, 2018, and its continued alleged infringement thereafter (Compl. ¶12, 28, 39, 50, 61).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the KEMP LoadMaster's standard Access Control List feature be construed as the "dedicated NAD firewall" that provides a "second layer" of protection "in addition to" a primary firewall, as specifically required by the patent claims? Or is this an attempt to apply the patent's specific security architecture to a general-purpose networking feature?
- A key evidentiary question will be one of technical function: what evidence demonstrates that the Accused Products are configured and used to protect against internal network threats, as described in the patents, rather than solely filtering traffic from the external network? The complaint's allegations of direct infringement based on KEMP's professional services and internal testing will require factual development to substantiate this point (Compl. ¶21, 23).
- A threshold legal question will be the viability of the '600 patent claim: given the post-filing cancellation of asserted claim 8 in an inter partes review, the court must determine the legal effect of this cancellation on the pending infringement count, which may render that portion of the suit moot.