Look at the documentation. Basically it boils down to define a section, assign this to your subtree, specify the roles for this subtree/section and assign the roles to users/groups. Then provide a login link somewhere in your pagelayout ans specify the loginpage=embedded in your override for site.ini.
You don't actually have to create a login page - the link that Paul refers to is just /mysite/user/login. The page is already built in to eZ, you just have to link to it.
There are some settings which determine where users will be redirected once they log in as well. You can change this to the top node in your subtree if that is the only place where they need to log in.
Once you have restricted the content/read permissions, any one who tries to access this page will get the access denied screen unless they have logged in and they are part of a role which has permission to view it.