the firewall setup
Firewall ensures that the internal network and the Internet can both talk to the DMZ, but usually not to each other
The DMZ relays services at the application level, e.g. mail forwarding, web proxying
The DMZ machines and firewall are centrally administered by people focused on security full-time (installing patches, etc.); it’s easier to secure 20 machines than 20,000
Now the internal network is “safe” (but not from internal attacks, modems, etc.)