Encapsulated or tunneled network traffic could allow users to remotely connect to resources that are hosted in restrictive environments. In many environments, this type of network traffic is the result of normal activities.
Attackers are known to use encapsulated or tunneled network traffic to circumvent firewall rules or hide malicious activities. A common tunnel that may be observed in normal traffic is IPv6 traffic encapsulated in IPv4 packets. Even this may be a danger signal, though, if the local site has a policy of not using IPv6 internally.
Administrators are advised to investigate the cause of unexpected instances of encapsulated or tunneled network traffic. These unexpected instances could indicate an attempt by a user to violate security policy or an attack against restricted resources.