The Internet's multicast backbone (MBone) holds great potential for many organizations because it supports low-cost audio and video conferencing and carries live broadcasts of an increasing number of public interest events. MBone conferences are transmitted via unauthenticated multicast datagrams, which unfortunately convey significant security vulnerabilities to any system that receives them. For this reason, most application gateway firewalls block MBone datagrams sent from the Internet and prevent them from reaching hosts on internal networks.This paper describes the design and rationale for a new set of facilities for the TIS Internet Firewall Toolkit (FWTK). These facilities, which are fully implemented, significantly reduce the security risks of observing or participating in MBone conferences. They impose no functional constraints on MBone applications and are transparent to users. Configuration options that support tradeoffs among security, performance, and ease of use are discussed.