Which description best characterizes a DMZ in a network?

A DMZ is a buffer zone in a network architecture that sits between an untrusted network (like the Internet) and the trusted internal network, and it hosts services that must be accessible from outside the organization. The idea is to expose only the minimal set of public services to the world while keeping the rest of the internal network secure behind another firewall layer. In practice, public-facing servers such as a web server, mail server, or DNS server reside in the DMZ, with strict access controls so that if one of these servers is compromised, the attacker gains limited access and not direct entry into the internal network. Traffic typically flows from the Internet to the DMZ, where it reaches the internet-facing service, and then from the DMZ to the internal network only through tightly controlled firewall rules. This is why the correct description is that the DMZ sits between the untrusted network and the trusted internal network to host internet-facing services. It’s not intended for monitoring employee productivity, it doesn’t block all inbound traffic (it's designed to allow controlled inbound access to specific hosts), and it isn’t used for backing up databases.