Here's a good article what a DMZ is in the context of internet services, basically running them behind a firewall with whitelist-only rules for those services such that the internet can reach them

But since your "cold" storage isn't an internet facing service in and of itself, you wouldn't put it in the DMZ...

You'd put it in a 3rd zone, a private network where the DMZ sits between it and the internet... in the DMZ you might have another Bitcoin node that's only job is to do p2p traffic with the rest of the network. Your militarized zone is firewalled off from your DMZ and your cold storage node can only communicate to that intermediate node to broadcast your transactions and get blocks.

TLDR; double-firewall.