Linux out of the box should be secure enough, just intall shorewall and configure it with webmin and you should be good.

Server hardware tends to be filled with lots of cool hardware watchdog and BIOS management stuff that you can't get with a consumer machine. An Intel rack server I recently bought on eBay will call your pager if the system crashes. How cool is that? :)

You're pretty brave if you're exposing a W2k box to the internet!

You're on the right track here. Microsoft network licensing is outrageously expensive and delivers nothing that Linux can't do today. Microsoft security is bad too, but Linux must also be managed if it is to be secure.

There are several excellent (and weighty) books available on the subject. Generally, a dedicated hardware firewall is a good idea whether your servers are Windows or Linux or a mix. I know nothing about Ubuntu, being a Slackware user myself. But I can tell you that the "currently popular" flavors of Linux are always the ones most heavily attacked by the script kiddies. At a guess, that would be Debian, Fedora/Redhat, and Ubuntu at the moment.

The most important key to Linux or UNIX security on the internet is "Thou shalt not run any port services that are not essential." So don't have named unless the box really is your public nameserver. Don't have a mail daemon unless it really is a maildrop. Don't have Samba or NFS available at all from the public internet. Get rid of inetd entirely if you can. And portmapper or rpc type daemons. If you need a telnet type login from outside for management purposes, use sshd. Do not allow telnet or rsh or ftp.

Any of these services are OK on the private network, but they will invariably lead to breakins on the public connection.