what you're describing (the port listening part) *is* a firewall - just locally installed and managed. The traditional idea of "a firewall" is exactly that, but in a centrally managed package that makes changes somewhat easier to manage and MUCH easier to scale. No difference functionally, really, except for the "listening for specific secured encrypted messages" part, which is an application-level thing anyway. Furthermore, if planned carefully, the "secured encrypted messages" part can be offloaded to a layer 6/7 switch as well, so even that's not always a restriction.
So really you just want application hardening (a good idea in most cases) and a firewall to filter the port, but you want to do that N number of times for however many hosts you have doing the same job (speaking about more complexity!) instead of centralizing it once or twice to redundant switches, etc.