DCT

2:19-cv-00384

Longhorn HD LLC v. Check Point Software Tech Ltd

Log In
Key Events
Complaint
complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 2:19-cv-00384, E.D. Tex., 11/20/2019
  • Venue Allegations: Plaintiff alleges venue is proper because Defendant is not a resident of the United States and may be sued in any judicial district pursuant to 28 U.S.C. § 1391(c)(3).
  • Core Dispute: Plaintiff alleges that Defendant’s network security products, including its firewalls, gateways, and VPN solutions, infringe five U.S. patents related to IP address mapping, secure remote access between intranets, mobile workgroup systems, intrusion detection, and process-based communication controls.
  • Technical Context: The patents-in-suit address fundamental aspects of network security, a technology domain critical for protecting enterprise data and infrastructure from unauthorized access and cyberattacks.
  • Key Procedural History: The complaint asserts independent claims from five patents. Subsequent to the filing of the complaint, the asserted independent claim in each of the five patents-in-suit appears to have been either cancelled in a USPTO reexamination proceeding or disclaimed by the patent owner. Specifically, U.S. Patent No. 6,421,732 claim 1, U.S. Patent No. 6,643,778 claim 1, U.S. Patent No. 7,260,846 claim 7, and U.S. Patent No. 7,343,421 claim 90 were cancelled in separate reexamination or review proceedings. U.S. Patent No. 6,954,790 claim 1 was disclaimed. The continued viability of the lawsuit may depend on whether Plaintiff can proceed on other, unasserted claims from these patents.

Case Timeline

Date Event
1998-08-27 U.S. Patent No. 6,421,732 Priority Date
1998-10-23 U.S. Patent No. 6,643,778 Priority Date
2000-02-14 U.S. Patent No. 7,343,421 Priority Date (Filing Date)
2000-12-05 U.S. Patent No. 6,954,790 Priority Date (Filing Date)
2002-07-16 U.S. Patent No. 6,421,732 Issued
2003-11-04 U.S. Patent No. 6,643,778 Issued
2005-10-11 U.S. Patent No. 6,954,790 Issued
2006-03-03 U.S. Patent No. 7,260,846 Priority Date (Filing Date)
2007-08-21 U.S. Patent No. 7,260,846 Issued
2008-03-11 U.S. Patent No. 7,343,421 Issued
2019-11-20 Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,421,732 - IPNet Gateway

  • Issued: July 16, 2002
  • The Invention Explained:
    • Problem Addressed: The patent addresses the problem of the diminishing supply of available Internet Protocol (IP) addresses as the Internet grew in popularity (’732 Patent, col. 1:19-23).
    • The Patented Solution: The invention proposes a gateway system that maps multiple servers on a private network, which use local IP addresses, to a single publicly visible IP address (’732 Patent, Abstract). When an external client requests the address of a private server via a Domain Name Service (DNS) query, the gateway intercepts the request and returns its own public IP address. The gateway then enters a waiting state, anticipating a connection request from that client, which it subsequently relays to the correct internal server, acting as an intermediary (’732 Patent, col. 2:7-21).
    • Technical Importance: This technology, a form of Network Address Translation (NAT), allowed organizations to greatly expand their internal networks using private IP address ranges while consuming only a small number of public IP addresses, a critical factor in managing the scarcity of the IPv4 address space (Compl. ¶14).
  • Key Claims at a Glance:
    • The complaint asserts independent claim 1 (Compl. ¶23).
    • The essential elements of claim 1 include:
      • receiving a first address request originating from outside a network for an address of a first entity, where the request identifies the entity by a domain name;
      • responding by providing a first address that is not unique to the first entity within the network;
      • receiving a communication request for the first entity from a second entity; and
      • establishing communication between the first and second entities only if the second entity "caused" the first address request.

U.S. Patent No. 6,643,778 - Network System Using A Firewall Dynamic Control Method

  • Issued: November 4, 2003
  • The Invention Explained:
    • Problem Addressed: The patent identifies the difficulty of applying traditional firewall models, which are often rigid, to "extranets" where multiple corporate intranets need to connect dynamically and flexibly (’778 Patent, col. 2:5-39).
    • The Patented Solution: The invention describes a system where two intranets are connected via the internet, each protected by a dynamic proxy server acting as a firewall (’778 Patent, Abstract). To enable secure, on-demand access, a "remote access terminal" on the first intranet can request a service located on the second intranet. A local "object directory server" determines the service's location, and if it is on the second intranet, a corresponding directory server there "dynamically install[s] a service proxy" on its firewall to enable the specific communication session (’778 Patent, col. 2:43-56).
    • Technical Importance: This method provides a framework for creating flexible and secure Virtual Private Networks (VPNs) that can grant access to services across organizational boundaries without requiring static, pre-configured firewall rules for every possible interaction (Compl. ¶15).
  • Key Claims at a Glance:
    • The complaint asserts independent claim 1 (Compl. ¶31).
    • The essential elements of claim 1 include:
      • A system with a first and second Intranet connected via the internet.
      • A first dynamic proxy server forming a firewall for the first Intranet.
      • A second dynamic proxy server forming a firewall for the second Intranet.
      • A remote access terminal connected to the first Intranet.
      • A first object directory server in the first Intranet to determine if a requested service is local or on the second Intranet.
      • A second object directory server in the second Intranet that "dynamically install[s] a service proxy" on the second dynamic proxy server when the requested service is provided in the second Intranet.

U.S. Patent No. 6,954,790 - Network-Based Mobile Workgroup System

  • Issued: October 11, 2005 (Compl. ¶9)
  • Technology Synopsis: The technology provides a secure mobile workgroup system where users can maintain a continuous and secure VPN connection even as their physical point of network attachment changes (e.g., moving between Wi-Fi and cellular networks). The system uses firewall filters and route policies tied to a unique user identifier to enforce security across these transitions (’790 Patent, Abstract).
  • Asserted Claims: Claim 1 (Compl. ¶40).
  • Accused Features: The complaint alleges that Check Point's mobile VPN solutions, including Remote Access Clients and Gateway/Firewall units, implement the claimed system by providing continuous VPN access to mobile clients, using identifiers like MAC addresses, and enforcing security with firewall rules (Compl. ¶¶40-42).

U.S. Patent No. 7,260,846 - Intrusion Detection System

  • Issued: August 21, 2007 (Compl. ¶10)
  • Technology Synopsis: The patent describes an intrusion detection system (IDS) that applies machine learning to identify network threats. The system parses network packets, stores individual data components, constructs multi-dimensional vectors from that data, and uses multi-variate analysis and clustering algorithms to detect anomalous correlations that may indicate a network attack (’846 Patent, Abstract).
  • Asserted Claims: Claim 7 (Compl. ¶51).
  • Accused Features: The complaint accuses Check Point's Intrusion Prevention Systems (IPS), including its CADET Technology, of infringing by monitoring traffic, parsing packets, and applying machine learning to construct and analyze multi-dimensional vectors to identify and classify anomalous behavior (Compl. ¶¶52-54).

U.S. Patent No. 7,343,421 - Restricting Communication of Selected Processes to a Set of Specific Network Addresses

  • Issued: March 11, 2008 (Compl. ¶11)
  • Technology Synopsis: This patent discloses a method for enhancing server security by restricting a given software process (e.g., a web server process) to communicating only through a pre-defined set of specific network addresses. The system intercepts communication attempts and prevents any communication from a selected process via an unassociated address (’421 Patent, Abstract).
  • Asserted Claims: Claim 90 (Compl. ¶63).
  • Accused Features: The complaint alleges that Check Point Gateway and Firewall units infringe by providing functionality to associate processes like HTTP with specific network addresses (e.g., a MAC address) and preventing those processes from communicating via any unassociated address (Compl. ¶63).

III. The Accused Instrumentality

Product Identification

  • The accused instrumentalities are a broad range of Defendant’s security products, including Check Point Next Generation Firewalls (NGFWs), Security Gateway devices, Network Threat Prevention devices and services, and various appliance series (e.g., R75, R76, R77, R80, 1400 Series, etc.) (Compl. ¶19).

Functionality and Market Context

  • These products provide comprehensive, enterprise-grade network security functionalities. The complaint alleges these products incorporate features for firewalling, VPN and IPSec connectivity, DNS services, intrusion detection and prevention (IDS/IPS), and mobile security. The complaint asserts these functionalities are central to the products' purpose of securing customer networks (Compl. ¶19).

IV. Analysis of Infringement Allegations

U.S. Patent No. 6,421,732 Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
receiving a first address request originating from outside said network...identifies said first entity with a domain name for said first entity The Accused Products' Security Gateway receives a DNS query for a domain name (e.g., www.example.com) from a user on the Internet. A network diagram in the complaint illustrates this process (Compl., Figure 4-2). ¶24 col. 8:9-13
responding to said first address request, including providing a first address that is not unique to said first entity within said network The Security Gateway's integrated mini-DNS server responds to the DNS query with the gateway's own IP address, which is not unique to the target server inside the network. ¶25 col. 8:1-4
receiving a request for communication with said first entity, said request for communication is from a second entity After receiving the gateway's IP address, the user's client sends a request for communication to that address. ¶25 col. 8:5-8
establishing communication between said first entity and said second entity if said second entity caused said first address request The Accused Products establish communication between the external user and the internal server, acting as a forwarder of information. ¶25 col. 8:5-8

Identified Points of Contention

  • Scope Questions: A central question may be the interpretation of the limitation "if said second entity caused said first address request." The patent specification describes specific methods like "IP Network Matching" and "DNS Authority Matching" to establish this causal link (’732 Patent, col. 3:44-67). The dispute may focus on whether the accused products perform a sufficiently rigorous check to meet this element or if a simpler correlation suffices.
  • Technical Questions: What evidence does the complaint provide that the accused gateway verifies that the entity initiating the communication request is the same one that originated or prompted the DNS request? The complaint describes the workflow but offers limited detail on the specific verification mechanism.

U.S. Patent No. 6,643,778 Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
a first Intranet and a second Intranet connected to each other with the internet as a base The Accused Products are used to create a Virtual Private Network (VPN) that securely connects geographically separate networks over the public Internet. The complaint includes a diagram of this VPN tunnel concept (Compl., Figure 7-1). ¶32 col. 2:44-46
a first dynamic proxy server for forming a firewall to protect said first Intranet A Check Point Security Gateway unit at one end of the VPN acts as the first dynamic proxy server. ¶33 col. 2:46-48
a second dynamic proxy server for forming a firewall to protect said second Intranet A second Check Point Security Gateway unit at the other end of the VPN acts as the second dynamic proxy server. ¶33 col. 2:48-50
a remote access terminal connected to said first Intranet A remote user, such as an "SSL VPN user," connects to the first Security Gateway. ¶34 col. 2:50-51
a first object directory server...for judging whether a service requested...is provided in said first Intranet or...second Intranet The Security Gateway includes a "directory of resources" and, when a remote user connects, can query resources on the second intranet, such as an LDAP server, to authenticate the user and locate services. This is depicted in a network diagram (Compl., Figure 8-1). ¶35 col. 2:51-54
a second object directory server...to dynamically install a service proxy...when said service is provided in said second Intranet The complaint alleges the Security Gateway includes a second object directory server that dynamically installs a service proxy, stating that "services and objects provided by the unit can be dynamic." ¶35 col. 2:54-56

Identified Points of Contention

  • Scope Questions: Does the functionality described in the complaint—a gateway containing a "directory of resources" and querying an external LDAP server—meet the claim definitions of a "first object directory server" and a "second object directory server"?
  • Technical Questions: What is the specific mechanism by which a "service proxy" is "dynamically install[ed]"? The infringement analysis may turn on whether the accused products load a new software object or module in response to a request, versus merely activating or configuring a pre-existing, generic forwarding path.

V. Key Claim Terms for Construction

Patent: ’732 Patent

  • The Term: "if said second entity caused said first address request"
  • Context and Importance: This clause is the security linchpin of the claim, ensuring that the gateway only connects parties that have participated in the initial DNS handshake. The definition of "caused" is critical to determining the scope of infringement, as it dictates the level of proof required to link the DNS query to the subsequent connection attempt.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The plain language of "caused" may not require a cryptographic or direct identity match. The specification's discussion of "IP Network Matching," where the entities merely need to be on the same network subnet, could support a broader construction that allows for indirect causation (’732 Patent, col. 3:52-59).
    • Evidence for a Narrower Interpretation: The specification also details a more rigorous "DNS Authority Matching" process, which involves multiple reverse lookups and comparisons of DNS authority records (’732 Patent, col. 3:60-67). This specific embodiment could be used to argue for a narrower construction requiring a more definitive, verifiable link.

Patent: ’778 Patent

  • The Term: "dynamically install a service proxy"
  • Context and Importance: This term describes the core action that enables flexible, on-demand secure access across intranets. The case may hinge on whether the accused product's operation constitutes "installing" a "proxy" or simply enabling a pre-configured rule. Practitioners may focus on this term because it distinguishes the invention from static firewall configurations.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The term could be construed to cover any dynamic configuration change made in response to a service request that enables a new communication path, such as modifying a rule set or an access control list. The patent abstract refers to this as part of a "dynamic control method."
    • Evidence for a Narrower Interpretation: The specification repeatedly uses object-oriented terminology, describing how a "service proxy object 102 is dynamically installed within server 101" (’778 Patent, col. 3:52-54, Fig. 1). This language may support a narrower construction requiring the instantiation or loading of a distinct software object or module, not just the modification of a data table.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges induced infringement for the ’790, ’846, and ’421 patents. The allegations are based on Defendant providing infringing products to end-users and directing them on how to use the infringing functionality through materials such as user manuals and marketing documents (Compl. ¶43, ¶55, ¶64).
  • Willful Infringement: For the ’790, ’846, and ’421 patents, the complaint alleges Defendant had knowledge of infringement "at least as of the date of this Complaint" (Compl. ¶44, ¶56, ¶65). This phrasing suggests an allegation of post-suit willful infringement.

VII. Analyst’s Conclusion: Key Questions for the Case

  • A threshold issue will be one of claim viability: given that all five asserted independent claims appear to have been cancelled or disclaimed in USPTO proceedings after the complaint was filed, a central question is whether Plaintiff has a valid cause of action or can amend its complaint to assert other, surviving claims.
  • A core technical issue for the '732 patent will be one of causal linkage: what specific technical mechanism must the accused gateway employ to satisfy the requirement that it confirms the entity making a connection request is the one that "caused" the initial DNS query?
  • A key evidentiary question for the '778 patent will be one of dynamic functionality: does the accused system "dynamically install a service proxy" by creating and loading a new software object in response to a request, or does it merely activate a pre-existing forwarding rule, and would the latter fall within the scope of the claim?