firewalling is great... but it lacks some flexibility port knocking brings you easily.
It's not THE ultimate securing solution. It's just another layer preventing DIRECT access to specified port(s). After knocking you still might want to use good security practices to enable access to your services (i.e. disable root login w/ SSH, force certificate usage as much as possible, VPN your connections, etc.)