We currently use a Cisco PIX firewall device for our firewall and NAT router, although pretty much any firewall device will suffice including another server acting as a firewall. We then block all ports by default and then "punch holes" through for services like ftp, web, email, with NAT redirects to the correct internal IP of the corresponding server.
I think this would be considered a safer setup than putting the servers in a DMZ zone as the entire range of ports on the server are open to potential attacks.
((Internet)) --> [Firewall/Router] <-- Port 21/ftp ---> [FTP Server]
^---- Port 80/http --> [Web Server]