not possible directly within ntop afaik, but you could probably wrap it with mod_proxy in apache, so that if they go to
http://server.example.com/ntop rather than
http://server.example.com:3000 apache uses the proxypass directives to connect internally to that other port. there's a reference to this here...
http://www.ntopsupport.com/faq.html once that's done you then of course have whatever access methods apache does, htaccess, ldap etc... last bit is to prevent direct external access to the real service, either by just firewalling that port, or may be an option on ntop itself to only listen on 127.0.0.1.