Encryption of network communications is the foundation of data security in transport – but not all encryption approaches are equivalent. The choice between network layer (L3) and transport layer (L4) encryption has concrete implications for granularity of protection, performance, key management and resilience to advanced attacks. Particularly in the context of solutions such as Certes Networks, which specializes in Layer 4 group encryption, it is worth understanding these differences before making an architectural decision.
Table of contents
- Fundamentals of the OSI model – what happens at layers 3 and 4?
- Layer 3 encryption – how does it work and what are its limitations?
- Layer 4 encryption – what does Certes Networks’ approach change?
- Practical comparison – granularity, performance, management
- Group encryption – what is it and why does it matter?
- Applications in industrial environments and critical infrastructure
- Key findings
- FAQ
- Summary
Fundamentals of the OSI model – what happens at layers 3 and 4?
The OSI model divides network communications into layers with well-defined functions. Layer 3 (network) deals with IP addressing and routing of packets between networks – this is where IP, ICMP and dynamic routing protocols operate. Layer 4 (transport) manages end-to-end communication between processes, data segmentation and flow control – this is the level of TCP and UDP protocols, with ports identifying services.
L3-level encryption operates on IP packets – it protects data based on source and destination addresses. L4-level encryption operates on sessions and connections – it can take into account ports, transport protocols and session attributes, resulting in much higher policy granularity.
Layer 3 encryption – how does it work and what are its limitations?
The most common example of L3 encryption is IPSec in tunnel mode, commonly used in site-to-site VPNs. IPSec encrypts the entire IP packet (header + data) and encapsulates it into a new packet with a tunnel header. It is a proven and widely used solution – but it has several significant operational limitations.
First, policy granularity is limited to IP addresses – you can’t differentiate protection based on ports or transport protocols. Second, IPSec in tunnel mode increases packet overhead and may require fragmentation at standard MTUs. Third, in large environments, managing a large number of point-to-point tunnels is operationally complex and prone to configuration errors. Fourth, any change in network topology (adding a new location, changing addresses) requires reconfiguration of tunnels.
IPSec works well in classic VPN scenarios, but in complex campus, industrial or multi-site environments its limitations emerge. That’s why it’s worth exploring isolated networks and mobile device support to complement the architecture.
Layer 4 encryption – what does Certes Networks’ approach change?
Certes Networks specializes in Layer 4 group encryption based on IEEE 802.1AE (MACsec) and its own CryptoFlow technology. Certes’ approach works at the transport session level – meaning that cryptographic policies can be defined with granularity down to the port, protocol and traffic direction level.
The key difference is the Group Based Encryption model – instead of managing tunnels between each pair of nodes, Certes uses group keys that define cryptographic policies for an entire segment or class of traffic. One group key can protect communications between hundreds of nodes, and key rotation for the entire group is a central operation – no reconfiguration is required on each device individually.
Practical comparison – granularity, performance, management
Policy granularity is the first key difference. L3 (IPSec) encryption operates on pairs of IP addresses – everything between a pair is protected the same or not protected at all. Certes’ L4 encryption allows for differentiation: SQL traffic on port 1433 encrypted with one key, backup traffic on port 445 with another, management communications with a third – all on the same network.
Performance is the second difference. Modern hardware acceleration for MACsec and L4 encryption supports throughputs of 100 Gbps and higher with no noticeable impact on latency. IPSec in tunnel mode with fragmentation support can be a bottleneck in heavy traffic.
Management is the third, often underestimated difference. Certes’ centralized key management model (via CEP – Certes Enforcement Point Manager) allows you to instantly change cryptographic policies for your entire environment from one place – without “manually” reconfiguring each device.
Group encryption – what is it and why does it matter?
Group Encryption is a model in which cryptographic policies are defined for a group of communication participants, rather than for pairs of connections. Certes implements this model through CryptoFlow – each “cryptographic flow” defines a group of nodes, a group key and a policy (what is encrypted, how keys are rotated, what algorithms are used).
This is particularly important in environments where the topology is flat or meshed – such as campus networks, data centers or OT industrial networks. In such environments, the L3 tunnel model creates a combinatorial problem of scale (n² tunnels for n nodes), while Certes group encryption requires a single CryptoFlow regardless of the number of participants.
Applications in industrial environments and critical infrastructure
Industrial (OT/ICS) environments have specific requirements that make L4 encryption particularly attractive. SCADA and PLC systems often do not support standard security agents – encryption must be transparent and invisible to the end device. Certes accomplishes this through “bump-in-the-wire” enforcement points that encrypt traffic flowing through them without any modification to the OT devices.
Critical infrastructure (power, water, transportation) is subject to regulations requiring cryptographic protection of communications between network segments. Certes meets the requirements of NERC CIP, IEC 62443 and other industry standards. Combined with next-generation VPN solutions, it creates a complete architecture for protecting communications in OT environments.
Key findings
- L3 (IPSec) encryption operates on IP address pairs and is appropriate for classic site-to-site VPNs.
- L4 encryption (Certes) offers granularity down to the port and protocol level, with central management of group keys.
- Certes’ group model eliminates the problem of point-to-point tunnel scale in large environments.
- OT industrial environments especially benefit from transparent L4 encryption – with no modifications to end devices.
- CEP Manager’s central key management reduces operational complexity and the risk of configuration errors.
FAQ
Does Certes encryption require replacement of existing network infrastructure? No – Certes acts as a “bump-in-the-wire” layer not established from specific network devices. Enforcement points integrate with existing infrastructure.
How does Certes handle cryptographic key rotation? Key rotation is central and automatic – CEP Manager distributes new keys to all nodes in the group simultaneously, with no interruption in communication (in-service key rotation).
What cryptographic algorithms does Certes support? Certes supports NIST’s AES-256-GCM, SHA-384 and other standards in compliance with Suite B requirements and government and industry regulations.
Can Certes encrypt traffic between different environments (cloud and on-prem)? Yes – Certes supports hybrid environments, including connections between on-premises and public cloud locations.
Summary
Choosing between Layer 3 and Layer 4 encryption is an architectural decision with far-reaching implications for the granularity, scalability and manageability of communications security. In complex environments – multi-segmented enterprise networks, OT environments, critical infrastructure – L4 encryption in Certes Networks’ group model offers significant advantages over classic IPSec. Contact Ramsdata to discuss how Certes Networks can fit into your network’s security architecture.
