Juniper Networks Vs. Palo Alto Networks

| About: Palo Alto (PANW)
This article is now exclusive for PRO subscribers.

The idea behind the founding of Palo Alto Networks (NYSE:PANW) in 2005 was a simple one - the creation of a next generation firewall product capable of securing a customer's network that is not based on port traffic classification, but rather on application identification, regardless of port, protocol or SSL. For non-techies out there, their unique firewall controls what traffic is or is not allowed on a network by deploying policies to deny unwanted applications, while allowing specific applications or functions through, regardless of their location, device or what port they are trying to access. Since launching its first firewall product in 2007, the company has enjoyed tremendous success, culminating in its July 20, 2012 initial public offering. Palo Alto's market cap has reached as high as $5.3B, and the company has enjoyed a favorable balance sheet on the success of its commercial offerings. Such success, however, was not overlooked by Palo Alto's major competitor - Juniper Networks (NYSE:JNPR) - which decided to spoil the party prior to Palo Alto's IPO by filing a patent infringement complaint on December 19, 2011 in the United States District Court for the District of Delaware, which is a popular forum for patent infringement cases.

In its complaint, Juniper asserted six patents relating to firewall technology against almost the entire line of Palo Alto's hardware products: PA-5000 (depicted), PA-4000 and PA-2000 Series Firewalls, PA-500 Firewall and PA-200 Firewall. The case is ongoing and -- critically for investors - there is a very important hearing in the case scheduled for November 15, 2013.


Before we discuss the hearing in greater detail, it is important to provide a fuller picture of the case background. After filing its initial complaint, Juniper subsequently amended its Complaint on September 25, 2012 and added two more patents and dropped one. The final seven asserted patents remaining in the case include:

8,077,723 - (Nir Zuk, Yuming Mao) Packet processing in a multiple processor system;

7,779,459 - (Yuming Mao et al.) - Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device;

7,650,634 - (Nir Zuk) - Intelligent integrated network security device;

7,302,700 - (Yuming Mao et al.) - Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device;

6,772,347 - (Ken Xie, Yan Ke, Yuming Mao) - Method, apparatus and computer program product for a network firewall;

7,734,752 - (Nir Zuk, Yuming Mao, Kowsik Guruswamy) - Intelligent integrated network security device for high-availability applications;

7,107,612 - (Ken Xie, Yan Ke, Yuming Mao) - Method, apparatus and computer program product for a network firewall.

Other than the high stakes for investors, particularly those in Palo Alto, what makes this case so interesting is not so much the patents or technology at issue, but their inventors. Some facts are in dispute and we will go over the two versions of Palo Alto's story, but what's undisputed is that the company was founded by ex-Juniper employees who are also the named inventors of the asserted patents.

The Palo Alto Networks Origin Story

Juniper's Story - Palo Alto Networks was founded by several former high-level employees of Juniper, including Nir Zuk and Yuming Mao, who first came to Juniper via its acquisition of Netscreen, a manufacturer of high-end network security devices, for $4 billion in April of 2004. NetScreen's intellectual property rights were included as a part of this acquisition. By 2006, May and Zuk had left Juniper to start Palo Alto, which would compete with Juniper in providing firewall technologies. Palo Alto's website identifies Zuk as Palo Alto's "Founder and CTO" and a member of its Board of Directors and Mao as Palo Alto's "Founder and Chief Architect."

Palo Alto's Story - Zuk left Juniper in February of 2005 to start Palo Alto and develop a next generation security switch. By December 2005, Zuk, together with three other engineers, Dave Stevens, Gerhard Eshelbeck and Fenming Gong, developed a detailed business plan and architectural scheme for their next generation firewall idea. It was not until January of 2006 that Mao left Juniper to work at Palo Alto. According to Juniper, Mao has never been an officer of Palo Alto and has never served on its board of directors.

Obviously, the scandalous part of the competing stories is whether Mao is indeed a founder and what exactly was his role, if any, in getting Palo Alto off the ground.

Right from the start, Juniper has aggressively tried to shut down Palo Alto's defenses. On February 28, 2012, Juniper filed a motion to strike under Rule 12(f) of the Federal Rules of Civil Procedure against Palo Alto's affirmative defense of invalidity based on assignor estoppel. Briefly, the doctrine of assignor estoppel prevents an entity that assigns away its patent to subsequently claim that patent is invalid, or not inventive or novel, after being sued for infringing it. In this particular case, Nir Zuk and Yuming Mao previously worked at NetScreen. While employed there, they were named as inventors on a number of patents. NetScreen assigned those patents to Juniper during its $4B acquisition of NetScreen. Zuk and Mao joined Juniper as part of the acquisition, but later left to start Palo Alto, which is now being sued by Juniper-basically for the very patents that founders of Palo Alto invented. In response to Juniper's allegations that Palo Alto is infringing the patents, Palo Alto has claimed, as a defense, that the patents are invalid. This is an extremely common and advisable approach for an accused infringer to adopt after being sued for patent infringement-claim the patents are invalid. What's curious about this case, however, is that Palo Alto is essentially arguing that patents that it itself invented (through the work of its former employees) are invalid.

Juniper is calling Palo Alto out on that. Juniper is contending, based on the Federal Circuit precedent established in Diamond Scientific Co. v. Ambico, Inc., 848 F.2d 1220, 1224 (Fed. Cir. 1988), that Palo Alto is estopped from attempting to invalidate the asserted patents, thus rendering its defense of invalidity insufficient as a matter of law. The Diamond case requires three dispositive findings, which according to Juniper are satisfied here: (1) the inventor assigned his patent rights for valuable consideration; (2) the inventor executed an inventor's oath averring that he was the first and true inventor; (3) the accused infringer was in privity with the inventor.

If Juniper wins this argument, the down-side risk for Palo Alto cannot be overstated. A party accused of patent infringement typically has two fundamental defenses at its disposal: (1) it is not infringing the patents; and (2) even if it is infringing, the patents are invalid. Defendants typically pursue both of these defenses in parallel through the course of a litigation. The good news for defendants is that they only need to win one of these defenses-non-infringement or invalidity-to win the case. Here, however, Juniper is seeking to strip Palo Alto, right from the start, of one of its two principal defenses. If Juniper wins, Palo Alto will only be able to rely upon a defense of non-infringement. That may prove challenging given that it drafted the very patents it is being accused of infringing with an eye towards the products it intended to establish and market.

The judge presiding over the case, the Honorable Judge Sue L. Robinson, having heard Juniper's motion, has already ruled in favor of Juniper with respect to at least one of the patents-the '634 patent. For this patent, Nir Zuk is the only named inventor. Nir Zuk, the founder and Chief Technology Officer of Palo Alto, had assigned to NetScreen the application for the '634 patent and signed the inventor's oath. NetScreen, in turn, assigned the patent to Juniper. However, with respect to the other patents, Judge Robinson postponed her decision. She did so on account of finding questions of fact with regard to whether Juniper satisfied each of the Diamond Scientific factors, including whether privity between Palo-Alto and Mao existed for each of the patents and whether those patents were adequately assigned or included sufficient oaths of inventorship. According to Judge Robinson, such factual issues precluded resolution at the pleading stage. Nevertheless, this fight is not over. Upon greater development of the factual record, Juniper will be able to re-raise its argument at a later time.

Juniper's limited win at such an early stage of the proceedings cannot be overstated. Juniper effectively neutered all Palo Alto's invalidity defenses with respect to at least one patent. If at least one claim of the '634 patent is found to be infringed, Palo Alto may be facing an injunction, past damages and future royalties without being able to put forward any invalidity defenses.

The above, however, was only a prelude to what will be the most important oral argument in the case - the combined Claim Construction hearing and multiple cross Summary Judgment Motions hearing on November 15, 2013. So what's at issue?

Claim Construction

During a claim construction hearing, the court decides the parameter and scope of the asserted claims. A narrow construction makes it easier for a defendant to prove they don't infringe the patent, whereas a broad reading makes it easier for a defendant to prove the patent is invalid. To put it another way, a narrow construction makes it easier for the patent holder to defeat any claim of invalidity, whereas a broad ruling makes it easier for the patent holder to prove infringement. Claim construction hearings are also frequently referred to as a Markman hearing - the name which was born from a Supreme Court decision in 1996 holding that courts are better suited than juries for determining the scope of the claims and setting the job squarely on the shoulders of the judges. See Markman v. Westerview Instruments, Inc., 517 U.S. 370 (1996).

Both parties submitted their Claim Construction briefs (which can be read here and here) and we will cover the crux of their arguments here.

U.S. Patent No. 7,650,634 describes the use of a "single flow record" for a plurality of network security devices to achieve faster response time.

The key term which is in dispute here is "two or more security devices." Palo Alto has taken the position that the term should mean: "at least two physically distinct structures each of which performs a security function." Juniper's position is that the term does not need construction, but in the alternative, should be construed as "hardware, firmware, software, or combinations thereof for performing security functions." According to Juniper, this term could include one or more programmable processors executing a computer program for performing security functions.

The dispute here is clear - Juniper wants a broader definition so that the asserted claims cover not only distinct physical processors each running its own computer program, but also multiple software applications running on a single processor or device, which in this case is a firewall or IPS (intrusion prevention system).

U.S. Patent No. 7,107,612 - Describes approaches for dynamically generating rules based on data received by a network instead of using a fixed set of rules.

The key term at issue in this patent is "rule." While Juniper offers no construction, Palo Alto proposes to construe the term as "a policy for filtering packets across multiple sessions, as distinct from a lookup table." This is not surprising since such a definition would narrow the claim and specifically exclude a lookup table from the claim's scope. Juniper counters with Palo Alto's own expert's admission that rules are just another general data structure and can be stored in a hash table.

U.S. Patent No. 6,772,347 - Describes efficient packet filtering in a firewall by initially denying or allowing packets using access control list engine and sorting them accordingly by either allowing to pass or finally denying .

The key term in dispute in the '347 patent is "sorting packets into … initially denied packets." Juniper believes no construction is necessary, while Palo Alto proposes the term to mean: "applying rules to make a first determination that identifies packets to be dropped." Palo Alto bases its argument on the patent specification which discloses the initial denial by the ACL engine as the identification of packets to be initially denied. However, no packets are dropped during that phase, but in fact proceed to a dynamic filter which allows some of the initially denied packets to pass through the firewall. Packets are "dropped" only after they've been sorted during the second phase.

The above are just the exemplary terms of three of the seven asserted patents. Below are the rest of the patents and some of the key disputed terms:

U.S. Patent No. 7,734,752 - Discloses an apparatus and method for sharing information between two security systems to provide protection during failure. The key terms in this patent are the primary and secondary portions that store information associated with the operation of the first device implemented session module when the primary security system is operating in a primary security mode (for primary portion) or in a failover mode (for secondary portion).

U.S. Patent No. 8,077,723 - Discloses the use of tags to improve the efficiency of packet processing in a system containing multiple processing engines. The key terms here are the "first engine," "second engine" and "a tag." Palo Alto wants to limit these terms to be associated with a software program without encompassing any hardware.

U.S. Patent No. 7,779,459 - Discloses processing of inter and intra-zone packets, where inter-zone traffic passes between distinct security domains an intra-zone traffic remains within a security domain. The key term here is "security screening" which Palo Alto wants to limit to mean "inspection to determine whether a packet should be dropped," while Juniper's strategy is to define this term simply as an application of one or more security policies.

We won't go into the specifics of each term, but as can be observed from the constructions above, Juniper's strategy is to broaden the claim scope as much as possible without intruding on prior art, while Palo Alto's strategy is to narrow the scope and avoid the infringement in the process. The outcome of the construction rulings will directly impact the summary judgment motions brought by the parties.

(1) Juniper' Motion for Summary Judgment of Infringement

With this motion Juniper is attempting to get a decision on some key infringement issues early without getting to the trial phase of the case. To be successful, Juniper must show that there is no genuine dispute as to any material fact and it is entitled to judgment as a matter of law. The following are the issues to be decided:

Infringement of the '612 patent. Juniper bases its argument on its claim construction of the term "rule" discussed above and certain admissions by Palo Alto. Interestingly, Juniper's brief now includes the PA-3000 series firewall as well, thus encompassing Palo Alto's entire product line.

Infringement of the '347 patent. The argument is based on the claim constructions discussed above and specifically on Palo Alto's own expert's admissions with respect to the packets never initially denied.

Infringement of the '459 patent. Once again the argument hinges solely on the construction of "security screening."

Partial summary judgment of infringement as to "security device" and "engine" elements of the '634 and '723 patents. Juniper argues that judgment should be granted if Palo Alto's constructions are rejected since Palo Alto products would satisfy those elements.

Partial summary judgment of infringement to certain other claim elements: "two or more security devices" of the '634 patent; "engine" elements of the '723 patent; and other undisputed independent claim elements. Juniper argues that such determinations would streamline the trial.

2) Palo Alto Networks' Cross-Motion for Summary Judgment of Non-Infringement

While opposing Juniper's motion, Palo Alto filed its own cross-motion for summary judgment of non-infringement on all of the asserted patents. Its argument is simple - if the court adopts Palo Alto constructions, based on Juniper's current infringement theories summary judgment of non-infringement will be appropriate.

3) Palo Alto Networks' Motion for Summary Adjudication of Anticipation and Obviousness of the '612 and '347 Patents

In this motion Palo Alto argues that under Juniper's broad reading of the claims, prior art anticipates or renders obvious two of the patents at issue. Palo Alto cites an article "Enhance Network Security with Dynamic Packet Filter" authored by Heikki Julkunen and C. Edward Chow in April 1997. According to Palo Alto, Julkunen discloses the use of a "dynamic packet filter" claimed in the '612 patent. Palo Alto also cites the U.S. Patent No. 6,377,577 to Bechtolsheim filed on June 30, 1998 as 35 U.S.C. 102(e) prior art to the '347 patent because it allegedly discloses the two-pass filtering system which controls which packets are permitted into and out of a network by using rules within an access control list and sorting incoming packets into initially allowed and initially denied packets.

4) Juniper Networks' Cross-Motion for Summary Adjudication of the Anticipation Defenses raised in Palo Alto's motion.

Juniper opposed the above-mentioned Palo Alto's invalidity motion, but also cross-moved to adjudicate Palo Alto's anticipation defenses. Specifically, Juniper argued that Palo Alto is estopped from asserting invalidity based on the doctrine of assignor estoppel; Palo Alto's failed to disclose the opinions and evidence supporting its motion; Palo Alto failed to produce evidence that the Julkunen reference is a prior art printed publication that was accessible to the public; Palo Alto failed to establish by clear and convincing evidence that the cited prior art discloses all of the limitations and finally, Palo Alto's obviousness inquiry failed to provide evidence of motivation to combine the references.

5) Juniper Networks' Motion for Summary Judgment of Assignor Estoppel

This motion follows in the steps of Juniper's earlier motion to strike where Judge Robinson tipped off the parties that the decision will be made at the summary judgment stage. Juniper argues that the undisputed facts in this case establish assignor estoppel in at least three ways. First, Palo Alto's admissions that Yuming Mao assigned the Mao patents to Juniper and has the status of "founder" at Palo Alto establish privity for assignor estoppel. Second, the fact that Palo Alto availed itself of Mao's knowledge and assistance to develop the accused products is also dispositive of privity. Third, and specifically for the '723 patent co-invented by Mao and co-founder Nir Zuk, this Court already held that Zuk and Palo Alto are in privity and now the facts establish that Zuk assigned this invention to Juniper.

This motion may be the most troublesome for Palo Alto and may be devastating to their overall invalidity case. Having already partially succeeded with respect to the '634 patent, Juniper is now going for the jugular with respect to all of the asserted patents.

As can be seen, the hearing on November 15th has the potential to be a "make-or-break" type event on both sides. Given that the hearing may prove dispositive for many issues in the case, it is imperative for an investor in Palo Alto to be prepared for movement in the stock, up or down, following the results of this hearing. When the Judge rules, there will likely be significant price movement for investors to contend with, especially for investors in Palo Alto if the ruling goes against the company. This case presents yet another example of how, despite all the hype and bluster regarding patent troll lawsuits, patent litigation between operating competitors can and should not be ignored by investors in technology companies.

We thank Dan Ravicher for his review and comment on a draft of this article.

Disclosure: I have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.