Which description best characterizes a demilitarized zone (DMZ) in a network?

A DMZ acts as a buffer zone at the network edge that hosts services meant to be accessed from outside the organization, while keeping the internal network isolated and protected. The idea is to place publicly reachable servers—like web, mail, or DNS servers—in a separate segment so that even if those services are compromised, attackers still face an additional barrier before reaching sensitive internal resources. Practically, the DMZ sits between the external network and the internal network, typically with one or more firewalls enforcing strict traffic rules to and from the DMZ and the internal network. This separation is precisely what allows public services to be accessible without exposing the internal LAN. A secure VPN tunnel for remote access is about connecting users securely to the network, not about hosting public services in a separate zone. A private subnet for executive management describes an internal, restricted segment, not specifically a DMZ. A failover cluster relates to high availability within the internal network, not to exposing services in a public, isolated zone.