Network operators rely on security services to protect their IT infrastructures. Different kinds of network security policies are defined globally and distributed among multiple security middleboxes deployed in networks. However, due to the complexity of security policy, it is inefficient to directly employ existing path-wise enforcement approaches. This paper models the enforcement of network security policy as the set-covering problem, and designs a computational-geometry-based policy space analysis (PSA) tool for set operations of security policy. Leveraging the PSA, this paper first investigates the topological characteristics of different types of policies. This heuristic information reveals intrinsic complexities of security policy and guides the design of our enforcement approach. Then the paper proposes a scope-wise policy enforcement algorithm that selects a modest number of enforcement network nodes to deploy multiple policy subsets in a greedy manner. This approach can be employed on network topologies of both datacenter and service provider. The efficiencies of the PSA tool and the enforcement algorithm are also evaluated. Compared with the header space analysis, the PSA achieves much better memory and time efficiencies on set operations of security policy. Additionally, the proposed enforcement algorithm is able to guarantee network security within a reasonable number of enforcement network nodes, without introducing many extra rules.