Most companies today use Virtual Private Networks for remote users to connect with the enterprise, but few companies encrypt network traffic internally. So why would universal encryption be a good idea? Because perimeter defenses have become so good that most security breaches these days have happened when the instigator is already inside the system, as with phishing, SQL injection, or buffer overflow incursions. Once inside, and with privilege escalation or a vulnerable switch, they can then monitor all traffic.
But let’s back up for a minute and consider VPNs. A VPN is a ‘tunnel’ within the datastream which carries its data, isolated from the rest of the datastream by encryption. It is only a ‘virtual’ tunnel since all the data is there with the rest of the crowd, but it is logically isolated from other packets as it is not cleartext. The headers for its packets describe where it’s coming from, where it’s going, which packet it is in its stream, and information on the encryption, but the payload of each packet is encrypted using the cipher, hash, handshakes which were agreed to by both ends at the beginning of the session. IPSec is not traditional encapsulation, where a packet is wrapped in an encryption protocol, which may be wrapped in yet another protocol. IPSec flows in transport mode as normal packets, only encrypted.