In a DMZ, public-facing systems are typically placed?

A DMZ is a buffer zone between the Internet and the internal network, designed to host services that must be publicly accessible while keeping the internal network protected. Public-facing services need to be reachable from outside the organization, but placing them in the DMZ limits exposure to the rest of the internal network. If one of these Internet-facing systems is compromised, the attacker’s access is confined to the DMZ rather than directly granting access to sensitive internal resources. That’s why public-facing services such as web and mail servers belong in the DMZ. Internal databases, employee workstations, and backup storage are typically kept on the protected internal network because they hold sensitive data or aren’t intended to be reachable directly from the Internet.