What is the primary function of a DMZ?

A DMZ is a buffer zone between the untrusted internet and an internal network, designed to host services that must be reachable from the outside while protecting the internal systems. By placing internet-facing servers (like a web or mail server) in the DMZ and enforcing strict firewall rules at the boundary, you create an additional layer of defense. If a public-facing server is compromised, the attacker lands in the DMZ rather than directly in the internal network, making it harder to reach sensitive resources and providing a controlled path with further protections to access internal systems. This is why the primary function is to provide an extra security layer for servers that need internet access. The other options don’t describe the DMZ’s role: encryption of internal database traffic, monitoring user logins on workstations, or blocking all outbound traffic are not the DMZ’s purpose.