1. Technical Field
The present invention relates to a network apparatus with secure IPSec mechanism and method for operating the same, and more particularly to a network apparatus providing physical separation between VPN and other networks before a message is sent to an IPSec channel. Therefore, the IPSec channel can be securely accessed, and the network apparatus applicable for both household network and VPN.
2. Description of the Prior Art
The progress of network technology and prevailing of computer develops competitive technology to conventional communication network. For example, VPN (Virtual private network) is a replacement technology for conventional modem and leased line. Via VPN, data, voice and image can be communicated, in point-to-point manner, between two computers through shared and public network.
VPN is commercially interested not only for convenience in data transmission, but also for reduced cost in hardware and communication overhead. The VPN now provides extensive applications including customer-managing VPN for personal user provide by service provider and enterprise VPN for company user.
In other word, VPN provide a convenient communication way between home worker/branch office and head quarter. FIG. 1 shows a prior art VPN topology, wherein three home computers are connected to Internet through a gateway A. The gateway A is connected to a gateway B through an IPSec channel. Therefore, a VPN host in user home can be connected to company intranet through the IPSec channel.
The IPSec channel provides secure data transmission between gateway A and gateway B. However, as shown in FIG. 2, there is no particular mechanism to separate the VPN host from the computers at home. The messages and packets sent by the VPN host have risk of being eavesdropped or captured by other computers at the same home, before them are sent to the gateway A. In other word, the VPN host and the company intranet are open to other computers at the same home.
For example, a user C of high tech company deals with office work at home and the user C uses a notebook computer configured as VPN host for assessing company VPN. In a scenario that another user D also uses a computer at the same home of user C to access network. The data uploaded to or downloaded from company VPN of user C may be easily eavesdropped by user D.
Therefore, a security mechanism for protecting the channel between VPN host and gateway A is of great desire. Moreover, a physical separation between VPN and other network is also demanded for enhanced security.