If a telecommuter's laptop picks up a virus before hitting the secure VPN connection, for instance, it can unwittingly carry that virus to the VPN, O'Brien says. "In VPN mode, that virus propagates," he adds. "When the user plugs in behind the VPN firewall, he transports to the office all that has talked to his machine," including the tainted code.

Bell Canada runs InfoExpress' CyberArmor personal firewall software on the company-owned PCs and laptops it issues to its remote users. The application filters the traffic going in and out of the NIC and reports events to Bell Canada's CyberServer, which logs the events and threats, such as break-in attempts, into its database.

Things are airtight outside the VPN -- no FTP or file-sharing in open Internet mode. The personal firewalls allow only e-mail and VPN access, but there are exceptions for IT workers and other power users. "We close all but the required basic ports, but we evaluate any exceptions," O'Brien says. There is more freedom once you hit the VPN, he adds, but access privileges are based on policy.

The catch is determining just how much custom policy to invoke with the personal firewalls, especially for IT users who need access to more than e-mail and the VPN. "You have to decide how far to take it flexibilitywise -- you can be so flexible that you might as well throw the firewall out the window," O'Brien says.

Bell Canada needs to configure policy for different sets of users, including service providers, contractors and its own corporate users. Using the CyberArmor software, Bell Canada can give a service provider that maintains one of its servers access to that server over the VPN, for instance. The personal firewall recognizes that the VPN has been activated and loads the user-specific access permissions, O'Brien says. And the Nortel Contivity VPN switch controls where users go based on their group profiles, he adds.

The VPN firewall recognizes each user by his or her e-mail address when he or she hits the corporate edge. "Then we can determine what group the person is in and download the firewall profile," O'Brien says.

One catch with the CyberArmor personal firewall is that it is visible to the user. The firewall displays a pop-up window of a problem, for instance, warning the user and asking whether to continue. "It's up to the user to say 'yes' or 'no' here," O'Brien says. To prevent users from disabling the personal firewalls, Bell Canada is moving its remote machines from Microsoft Windows 95 and 98 (which let users disable the firewall function) to Windows 2000, which doesn't.

Next for Bell Canada is a PKI (public key infrastructure) that will complement the personal firewall system and the VPN infrastructure. Bell Canada is installing Entrust PKI software, using digital certificates for authenticating each machine and, eventually, for authenticating the users themselves. The digital IDs will help define the users' privileges.