Final answer:
A sandwich DMZ is created using two firewalls to establish a security buffer zone for public-facing services, with one firewall separating the DMZ from the internet and another separating it from the internal network.
Step-by-step explanation:
To create a sandwich DMZ (Demilitarized Zone), you would typically use two firewalls. A DMZ is a small network that sits between the outermost firewall and an additional inner firewall, typically hosting the public services that you want to expose to the internet, such as web servers, mail servers, and so on. The first firewall, which is exposed to the internet, will have one interface connected to the internet and another connected to the DMZ. The second firewall will have one interface connected to the DMZ and another connected to the internal network. This creates a buffer zone where you can place public-facing services while protecting your internal network from direct exposure to the internet. If that DMZ is compromised, the attacker still has to breach the second firewall to get into the internal network, providing an additional layer of security.