SharePoint operates with Negotiate; what this means is if Kerberos fails, NTLM is the fallback. NTLM is always required for Internet-based scenarios where the client cannot contact the KDC, hence using Negotiate in IIS rather than just Kerberos.
As long as you configure the Web App to use Kerberos, you're all set. And of course you should avoid NTLM where ever possible.