Here will be an overview article on how to set up Checkmk so that you have optimal network security for your monitoring server, as well as for the monitored systems.
First the good news: through its own agents, Checkmk has an architecture that was designed from the beginning for maximum security. This manifests itself, for example, in that the agents basically do not read data directly from the network. It is therefore impossible for an attacker to inject code. That said, the agents do not even trust the monitoring server itself.
At various points in Checkmk HTTP protocols are used - whether for internal communication or for the connection of other systems. Use HTTPS wherever possible. In other places there are optional encryption techniques. You can also find instructions in this manual: