Layer 3 protection
The common level of protection that IPSec provides requires system modification. However, the strategic implementation of IPSec at the IP level (layer 3) enables a high level of protection that is transparent for most applications, services, and upper layer protocols. Deploying IPSec requires no changes to existing applications or operating systems, and policies can be either centrally defined in Active Directory or managed locally on a computer.
The implementation of security at layer 3 can provide protection for all IP and upper layer protocols in the TCP/IP protocol suite, such as TCP, UDP, ICMP, and custom protocols that send traffic at the IP layer. The primary benefit of securing information at a lower layer is that all applications and services using IP for transport of data can be protected with IPSec without any modification to those applications or services.
Other security services that operate above layer 3, such as Secure Sockets Layer (SSL), only provide security to applications that can use SSL (for example, Web browsers). To protect communications for all of the applications on your computer with SSL, you must modify each application. Security services that operate below layer 3, such as link layer encryption, protect only the link, and not necessarily all links along the data path. This makes link layer encryption unsuitable for end-to-end data protection on the Internet or in routed intranet scenarios.