While the purpose of systems in the DMZ is to allow public access to certain internal network resources (EMAIL, DNS, Web), it is a good practice to restrict that access to the minimum necessary to provide those services through use of a firewall.
In computer security, a DMZ or Demilitarized Zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term “demilitarized zone”, an area between nation states in which military operation is not permitted.
The following are incorrect answers:
“Right in front of your first Internet facing firewall” While the purpose of systems in the DMZ is to allow public access to certain internal network resources (EMAIL, DNS, Web), it is a good practice to restrict that access to the minimum necessary to provide those services through use of a firewall.
“Right behind your first network active firewall” This is an almost-right-sounding answer meant to distract the unwary.
“Right behind your first network passive Internet http firewall” This is an almost-right-sounding answer meant to distract the unwary.
References: CBK, p. 434 and AIO3, p. 483 and http://en.wikipedia.org/wiki/DMZ_%28computing%29