Routing

Hello Experts

Is there any best practice for segregating the internet browsing (outgoing traffic) and public services (incoming traffic) over two different internet lines. Public services (incoming and outgoing traffic) hosted in DMZ like email gateway service, sslvpn service, ftp service etc should use the dedicated leased line with public IP. Internet browsing through proxy should use the different internet line like ADSL that is cheap as well. The benefit I can think are:

1- If user is unknowningly spreading the virus on internet while browsing, then our public service IP range could get black listed and affected
2- ADSL line is cheap as compare to leased line for browsing
3- ADSL line comes with transparent proxy from service provider that can ensure, if our proxy missed the malicius site then SP proxy could catch it

Please give your inputs

Hi aeroplane,

Yes, it would be good to segregate the two traffic.

You can achieve it by setting up routing instances and pushing the traffic according to the applications.

You can refer to the below kb to achieve this;

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15545

Let us know if you face any issues with the same.

Thank you. Can you refer me some document or article from Juniper or other about this subject?

Sure.

You can rr some of the below links for your reference;

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223&smlogin=true

Below kb is for monitoring the dual isps if they are up or not;

http://kb.juniper.net/InfoCenter/index?page=content&id=KB22052&smlogin=true

Below two are non-juniper links which talk about load balancing between the ISPs and also again about rpm monitoring;

http://www.mustbegeek.com/load-balance-dual-isp-internet-in-juniper-srx/

http://rtoodtoo.net/dual-isp-failover-with-rpm-ip-monitoring/