> In our case, we need NTP running on the net because we need to
> syncronize our router and the authentication server, and in one case
> they are 1500 miles apart and the only way to keep them in sync is
This is the strongest reason to not run ntp on your firewall router.
Why do you consider the incoming ntp stream trustworthy? (Not to cast
doubt upon the NTP project, but there are *lots* of interesting attacks
on authentication systems which depend on perverting their clock). I would
strongly recommend that if you are planning on using clock-based authentication
schemes (eg, kerberos), you make sure that the clock is fundamentally internal.
An atomic or radio clock on your premises is fairly unlikely to be compromised;
an external ntp clock is not so blessed.